The way SSL certs are being signed has changed. In the past, a Root CA signed SSL certs directly. Now (as of this year), allegedly the industry (at least SecureTrust/TrustWave) now have a Root CA sign an Intermediate Chain Cert, which in turn signs all down-stream SSL certs.

What’s that mean to you?

Windows machines doing 802.1x try to validate the SSL certificate by default. For that to happen, they have to know about the chain cert that signed the server’s SSL cert.

Windows OS’s don’t know about the new chain cert. So you’ll have to import it.

You can grab the cert from https://wifireg.defcon.org/ca.php

Download the “wifireg.cer” file - double-click, import it.

From that point, you can “validate” the cert and proceed.

(Your other option is to opt not to validate, and the login process will proceed as if you used a self-signed cert).

We’ve been testing this the last couple hours and believe this is currently what many people are seeing (and what we see in our logs).

Try this - if it doesn’t work, let us know and we’ll dig into it further.


tags: