Server certificate renewal
douglas eseng
douglas.eseng at gmail.com
Mon Jan 11 10:05:37 CET 2016
On Sun, Jan 10, 2016 at 11:23 PM, Alan DeKok <aland at deployingradius.com> wrote:
> On Jan 10, 2016, at 6:25 AM, douglas eseng <douglas.eseng at gmail.com> wrote:
>> After renewal of server cert, existing iOS devices ask user to again trust
>> the cert. Is this normal behaviour?
>
> Yes.
>
>> Since it was a renewal, would have
>> thought it is recognized as the same cert and remain trusted.
>
> What, exactly, makes it the "same" cert? The private key has changed. The public key has changed. The fingerprint has changed. The expiry date has changed.
For our case, the public key remain the same. But doesn't matter since
the device remember the fingerprint as pointed out by Alan Buxey.
Since this has changed, so this the expected behaviour.
>
> Some fields in the new cert are the same as the old one, so that might help. But there's nothing in the new cert which says "this certificate replaced old certificate X".
>
>> Anyone know once user trusted the cert, what digest/fingerprint of the cert
>> does IOS remember? Unable to find info on this from Apple's site.
>
> iOS remembers the fingerprint. Which has changed.
>
> Every time you add a cert, you've got to trust it again. There is a chain of trust for signing certificates. There is no chain of trust for replacing certificates.
>
> Alan DeKok.
Understood and thank you.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list