I think it's going to "depend" on each Operating System for the 802.1X authentications being affected.
The information below is more of just an FYI on what I've observed (cause I imagine someone's going to say - If I'm going through the trouble of installing a public Root CA that already exists - then why not go ahead and use a Private CA). 1. Apple specifically states "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS." - so that makes me wonder if you install a public Root CA via a mobile config for example for iOS - does that exempt it from the 1 year limitation then? 2. Chrome OS though (at least from the behavior I've seen) you can't install a public Root that already exists on to the OS. I don't think I would trust those "possible exceptions though". One of the annoying things I felt with Android and Chromebook for certificate management was If I go into the device and "Disable/Turn Off the certificates/Set to Not Use" - then all portions of the Operating System should not use those certificates regardless. However, from what I saw, even if I disable some of the Public CAs - the wireless supplicant still seems to trust them. Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Tim Tyler Sent: Wednesday, August 19, 2020 8:45 AM To: [email protected] Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? [This message came from an external source. If suspicious, report to [email protected]<mailto:[email protected]>] I was told by Sertigo that all commercial certs would be affected. We just bought the last 2 year expirations we could get away with for both 802.1x and https. The reason I am told has to do with so many smaller establishments that go out of business before their cert expires leaving the cert as a security vulnerability for consumers. I just wish there was a way to allow for the longer certs for those of us that have a long history of existence and stability. Such a pain. And I am told they are debating quarterly cert replacements in the future. That would turn cert management into a much bigger responsibility if that were to happen. Hopefully that doesn’t happen. And yes, if you want to manage EAP with your own self cert, I believe you can use a longer expiration. Tim -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:[email protected]] On Behalf Of Andrew Gallo Sent: Wednesday, August 19, 2020 8:29 AM To: [email protected] Subject: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Does anyone know if the new, shorter certificate expiration for TLS that Apple announced (and Google is following) will affect 802.1X authentication? Thanks -- ________________________________ Andrew Gallo The George Washington University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
