Hi all, While debugging another problem (Windows 10 client that lost its certificates and some EAP configuration) I noticed that our private CA used for WPA2 Enterprise RADIUS auth expires in September next year. The certificate used by the RADIUS servers is valid until January 2024, but am I correct in thinking that if the CA has expired the cert won't be trusted either?
Has anyone rotated their cert and have any tips for managing the flag day? I'm going to create a new private CA, this time with a 30 year lifetime, although I imagine it'll be obsolete before then due to increased crypto requirements. Speaking of which, what are the best practices for a private CA these days? SHA2 (384bit)? SHA3? RSA? Elliptic Curve? We are fortunate in that most of our devices are school owned and so we can push out wireless configuration. I had a look at the Windows and Mac configs, and both of those can trust multiple CAs for a given SSID. On iOS we don't push out wireless config, but we were going to reprovision the remaining ones anyway at the end of this year so that's fine. Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
