Changes
→Certificate Pinning
Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.
In order to generate the certificate hash, download the certificate by clicking the "Download" link on the [https://ashapps.eprov.setipki.vt.edu/EJBCAWebRequestca-manager/certSearch?cmd=search&keyword=VT-Wireless Certificate Search search] for VT-Wireless] (Unfortunately this eduroam.nis.vt.edu, and download the certificate by clicking the "download" link. '''Note:''' This site is only available to Virginia Tech IPs(incluing VPN), and required PID login.
Validate that the downloaded certificate is in fact signed by the (Now Obsolete) [httpshttp://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver globalqualifiedserver Virginia Tech Global Server Qualified Server CA] chain. You will first need to download ''all'' certificates in the "CA: Virginia_Tech_Global_Server_CA" chain and concatenate them.
It is worth noting that the new Virginia Tech CA is signed by the Global Sign GlobalSign - R3 CA, and the Radius Server RADIUS server presents the name of "wirelesseduroam.cnsnis.vt.edu".
$ cat GlobalSignRootCA/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem GlobalSignRootSignPartnersCATrustedRootCASHA256G2.pem VirginiaTechGlobalRootCA.pem VirginiaTechGlobalServerCAVirginiaTechGlobalQualifiedServerCA.pem >> ca.pem $ openssl verify -verbose -purpose sslserver -CAfile ca.pem VT-Wirelesseduroam.cnsnis.vt.edu.crt VT-Wirelesseduroam.cnsnis.vt.edu.crt: OK
Then generate the sha256 hash:
$ openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
It is recommended that you perform these steps yourself rather than trusting the certificate hash presented in the configurations below.
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS NI&S rotates the certificates being used(at least every 2 years), the configuration will need to be updated to match the new certificate.
===A Word of Caution===