How to deploy new certificates to wireless clients (WPA2 Enterprise)?

By stein_brian ·
So we have a pilot program going with about 100 Ipads. We created a new wireless network specifically for these 100 Ipads that is very simple and basically it's a non-broadcasted SSID using WPA2 Enterprise security that we configured on each Ipad before we gave them out. Now I wasn't here when this was first setup but what I've discovered is after setting up the wireless settings on the ipad it prompts to accept a self signed certificate from the Radius server (one of our AD domain controllers). Once accepted the ipad joins the network and all works great. What I found though is that this self signed certificate expires this May. So my questions are: 1) What will happen to the ipads wireless once their certs expire in May? I'm assuming they will lose access to the wireless network. 2) Is there a way to make the ipads automtically get an updated cert if I renew the cert on the server? I'm looking for some insight in moving forward with this to prevent an issue come May. Any thoughts are greatly appreciated, thank you!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

They won't be able to authenticate to the server.

by seanferd In reply to How to deploy new certifi ...

I would push out the new certs (via GP??) just before the expiry date if the iPads hold the cert.
But if they are already set to <i>accept</i> the cert from the server, just install the new cert on the server over the old one, and the user will be prompted to accept it.

Collapse -

Reponse To Answer

by stein_brian In reply to They won't be able to aut ...

So is there a way to install a new/updated cert on the server side by side with the current cert so as to test it out? Meaning since I've never encountered this with Ipads I would love to be able to test it out first before doing this system wide? Or at the very least would the following work: After hours export the current cert out on the server and then install the updated cert on the server so I can try it on one Ipad. Then once I'm satisifed import the original cert back so that when users come in the next day they won't notice any change and then I can start planning rolling out the new cert as May approaches? My reasoning is assuming what you say above works, I will need to alert my users first so they are aware of they will be seeing and how to accept the cert so once I know exactly what it will look like I will write it up for them.

Collapse -

well, you might have to have them bring em in

by CG IT In reply to How to deploy new certifi ...

To make it accessible to remote users before the cert expires, make a share with the cert installer package they can access after logging in and have em install it in Root CA. As long as the current cert is in the Root CA on their device, that's all that RADIUS authentication cares about. Do they have it? and is it the right one?

Oh and revoke the old one. If you don't revoke it, CA will say it's still valid, even if it's expired. Windows might throw a warning notice about expired certs, but as long at the cert is issued, and not revoked, CA doesn't care, it's still valid because it's still issued.

Collapse -

Reponse To Answer

by stein_brian In reply to well, you might have to h ...

Well these aren't really remote users per se, they're Ipad users. So they don't login to Windows or anything like that. It's simply the WPA2 Enterprise WLAN network they connect to when onsite so there's no share for them to connect to???

Related Discussions

Related Forums