We went through this not long ago. The root cert in our chain is valid until 2028, and the one intermediate is valid until 2024, so we were able to maintain the same chain and just swap out our server cert with pretty much zero pain. Some warnings about how the cert changed but we told our users well ahead of time that they needed to expect this and this time it's OK to ignore and OK their way through any warnings.
We just use SHA256 with a key length of 4096 bits. We do not use our own CA on the server that I'm looking at, our certificate is a GlobalSign one. Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it On Wed, May 16, 2018 at 12:02 PM, Turner, Ryan H <[email protected]> wrote: > We still use SHA2 256 bit certificates with a 2048 length. When I was > doing research on this a few years ago, I believe there was extra > processing power required once you went above 256bit (requires an > additional computation). I could be completely wrong about that, but we > have had mass deployment of user certificates for over 5 years with that > setup without any issue. I don't see any reason to get cute with hashing > algorithms at this point or length at this point as it might cause you more > grief than it is worth/ > > > Ryan Turner > Senior Manager of Networking > ITS Communication Technologies > The University of North Carolina at Chapel Hill > > [email protected] > +1 919 445 0113 Office > +1 919 274 7926 Mobile > > > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv < > [email protected]> On Behalf Of James Andrewartha > Sent: Tuesday, May 15, 2018 11:24 PM > To: [email protected] > Subject: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate > > Hi all, > > While debugging another problem (Windows 10 client that lost its > certificates and some EAP configuration) I noticed that our private CA used > for WPA2 Enterprise RADIUS auth expires in September next year. The > certificate used by the RADIUS servers is valid until January 2024, but am > I correct in thinking that if the CA has expired the cert won't be trusted > either? > > Has anyone rotated their cert and have any tips for managing the flag day? > I'm going to create a new private CA, this time with a 30 year lifetime, > although I imagine it'll be obsolete before then due to increased crypto > requirements. Speaking of which, what are the best practices for a private > CA these days? SHA2 (384bit)? SHA3? RSA? > Elliptic Curve? > > We are fortunate in that most of our devices are school owned and so we > can push out wireless configuration. I had a look at the Windows and Mac > configs, and both of those can trust multiple CAs for a given SSID. On iOS > we don't push out wireless config, but we were going to reprovision the > remaining ones anyway at the end of this year so that's fine. > > Thanks, > > -- > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
