networking

3084 readers

1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 2 years ago

MODERATORS

manifex

[email protected]

enterprise wifi auth and 47-day TLS certs (lemmy.world)

submitted 2 days ago* (last edited 2 days ago) by [email protected] to c/networking

3 comments fedilink hide all child comments

Has anybody heard if the upcoming 47-day maximum on TLS cert lifetime will apply to Enterprise wifi auth using private PKI (especally on IOS and Android)?

We have a campus CA that signs the TLS cert used by RADIUS when students connect to wifi using personal devices. Freshman need to accept the cert once (hopefully after checking the fingerprint), then usually one more time before graduation. Every 47 days would be difficult.

top 3 comments

sorted by: hot top controversial new old

[–] [email protected] 3 points 2 days ago

The CAB Forum only govern public CAs and certificates and the use of certs on the public internet. Your private PKI will be unaffected by the new changes. On top of that the change will be introduced gradually, the first reduction is in March 2026 and will limit certs issued after March 2026 to 200 days so even if you saw some impact for some reason you'd still have a couple of months to put a fix in place

Freshman need to accept the cert once (hopefully after checking the fingerprint)

Nobody is checking the fingerprint, nobody

[–] [email protected] 2 points 2 days ago

I'm pretty sure certificates signed by internal CAs are exempt. I would have to go find the documentation but I believe that was called out.

[–] [email protected] 2 points 2 days ago* (last edited 2 days ago)

Is the campus CA internal? I don't think TLS libraries will complain. I'm still using 2-year certs internally in my org without problems, and that's for web applications. My homelab internal certs (server to server) are still using in-house 5-year certs.