floof.org
Oh jeez. I don't suppose anyone here has experience with EAP certificates for RADIUS servers handling Wifi APs? I generated a root key+certificate and a server certificate for FreeRADIUS a couple of years ago and apparently I generated a new cert last year, but I cannot for the life of me figure out where I put the root cert key or how I generated last year's cert. I thought I was using gnomint (and there's a gnomint database right there) but it doesn't seem to have the right root cert and I can't seem to figure out how to generate a new cert in it this year anyway.
So my question is: are there many common Wifi clients that actually need (or benefit from) the CA public key being imported and cert verification turned on for connecting to that AP? If not, maybe it's unlikely any of the users will have turned on verification, in which case I might well be able to get away with just generating a new root key and cert and starting over. If it's common to import the cert and turn on verification I probably ought to keep searching all my computers and servers to see if I can find the flippin root CA key.
Have I mentioned I hate computers? :( I basically hate my chosen line of work, it seems.
in my experience with EAP-TTLS and Apple, even if you important and trust the root, it still asks you to accept a new cert everytime it rotates anyway (usually with a warning it’s untrusted even if the root is trusted for everything else). Windows I don’t think checks, and I know Linux only checks if you explicitly specify it, I can’t speak to anything else though.
If you’re using EAP-TLS, then you absolutely need to have the root trusted, but this is pretty advanced.