Our RADIUS cert was set to expire in May. I decided to do both the Sectigo root cert and the RADIUS cert in one fell swoop. We spoke with our IT security team, and they provided us with the updated cert set to expire in 2034.
I did this all in our test clearpass environment; then moved to production. First I imported the new root cert and kept the old RADIUS cert. The old cert chain picked up the new root cert, you could see it on the cert presented to the client. No user impact. Then I imported the new RADIUS cert and it worked with the new Sectigo root. Then I deleted the old Sectigo root cert. I tested with a client and could see the new RADIUS cert and the correct Sectigo root cert being presented properly. So, again, no user impact in our testing/implementation. Another member on my team had to do the same with our ASAs for VPN. Hope this helps. -- Derek From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Bruce Boardman Sent: Tuesday, April 14, 2020 8:52 AM To: [email protected] Subject: [WIRELESS-LAN] Sectigo/InCommon/Comodo AddTrus Eternal CA Root Expiration The Setigo 'AddTrust External CA Root' Root certificate is expiring May 30th 2020. We use a supplicant cert signed by this chain in on Cisco ISE RADIUS PEAP config for 802.1x Wireless clients. Cisco is telling me that this end client Cert must be reissued using a new root due to differing serial numbers between the old and new root certs. Sectigo states that it is not likely needed due to cross signing of the new root cert with the old. Here's the knowledge article https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT. Anyway I was wondering if anyone has had any experience with changing roots on ISE or other RADIUS setups, or just knows what makes sense in regards to this root swap out and the possible end user impact. Thanks Bruce ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
