Meraki Authentication Server Certificate Rotation - Aug 2020
Overview
Due to an approaching certificate expiration Meraki will be rotating the RADIUS server certificate for Meraki Authentication on 3 August 2020. The following is the expected impact and remediation steps for potential issues.
Meraki Authentication with Sentry Wifi
Users of Meraki Authentication with Systems Manager Sentry Wifi with devices which were online between 1 May 2020 and the rotation date of 3 August 2020 will have no user-visible impact.
Users with devices which were not online during that period simply need to associate to an SSID which will allow them to check in with dashboard for long enough to allow a check-in cycle to complete (~2 minutes) in order to receive the updated payload and resume normal operation
Meraki Authentication without Sentry Wifi
Users of Meraki Authentication without Sentry Wifi will need to 'trust' the new certificate with the below information upon associating to the Meraki Authentication SSID on or after 3 August 2020. Some devices may require the SSID to be "forgotten" before they will prompt to accept the new certificate.
Host: radius.meraki.com
Issued: Sectigo RSA Domain Validation Secure Server CA
Expires: August 1, 2022
Trusted Access
Users of a Trusted Access configuration to an SSID will need to re-download their device's Trusted Access configuration from portal.meraki.com on or after the 3 August 2020 rotation date.
Certificate Details
Below is a copy of the certificate which users will be required to accept, as well as the plaintext output from reading the certificate with openssl:
meraki$ openssl x509 -noout -text -in ./new.meraki-auth-radius.cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8c:f4:85:20:b7:23:aa:65:22:46:e0:8a:d7:07:54:8e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Validity
Not Before: Apr 29 00:00:00 2020 GMT
Not After : Aug 1 00:00:00 2022 GMT
Subject: CN=radius.meraki.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:c9:39:4a:fa:a9:ea:b2:55:cd:6b:23:9b:63:
f5:13:ac:17:ee:57:53:af:4e:08:4d:1b:12:36:b4:
4b:9d:59:8e:2a:c4:45:6b:35:ef:f9:dd:fa:6c:4d:
5a:b4:2d:5f:13:70:9c:e7:0b:63:f8:95:b5:ad:2d:
10:9f:8c:76:82:89:f3:b9:7c:e5:26:9d:f2:73:61:
81:01:0f:1f:29:b7:87:7f:72:4b:cd:54:71:d6:4f:
c5:b8:20:dc:8b:d5:a0:94:dd:8c:5a:42:99:91:2a:
2a:85:79:aa:3f:5c:59:77:60:5c:87:72:ce:df:c4:
fd:09:34:72:c7:a6:b3:af:ad:ac:dc:16:a8:16:34:
d5:0f:bb:7e:6b:89:72:98:4c:75:00:4a:cf:48:46:
84:03:e3:4c:1a:b5:89:79:12:fa:8b:93:bd:40:86:
aa:5b:0b:c0:6c:0d:f8:d7:a0:34:bb:fb:eb:37:1f:
39:ab:99:75:72:07:0f:1a:cb:9a:08:a3:47:13:35:
71:e6:48:05:51:28:f8:26:e5:b5:7b:35:aa:a5:49:
72:e0:d0:3d:b9:50:20:15:0a:17:c5:2e:64:10:8e:
3a:21:db:81:6c:db:75:07:a8:c5:28:af:2c:0a:2d:
35:8b:5c:45:45:eb:df:e1:b9:fd:35:8a:ed:96:eb:
c1:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1 X509v3 Subject Key Identifier:
C7:0E:68:73:E9:18:D7:6A:6B:80:06:BB:81:0D:22:95:E3:A8:BD:EC
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://sectigo.com/CPS
Policy: 2.23.140.1.2.1 Authority Information Access:
CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.sectigo.com X509v3 Subject Alternative Name:
DNS:radius.meraki.com, DNS:www.radius.meraki.com
1.3.6.1.4.1.11129.2.4.2:
.......v.F.U.u.. 0...i..}.,At..I.....p.mG...q..[......G0E. ..'...@..<....t..^............u..!....CeT.U)...)}...q..r.7^.........v...^.h.O.l..._N>Z.....j^.;.. D\*s...q..[E.....G0E.!....s...k(k.^(`...j...6..c.....,8. 'H....i.......1.9. ._.'.......\ZJ.....cDf;N....8.e..v.)y...99!.Vs.c.w..W}.`.....E0C......TC-.$......0..3!.e^.M.I
..M]&\%].....q..[R.....G0E. ......w..6.....0...4.J.Xi.....u..!..pU......V+....^rBJ....c....4...
Signature Algorithm: sha256WithRSAEncryption
5a:3f:c0:30:b1:e3:33:4c:3c:64:35:c6:1a:97:37:c9:5e:42:
e9:cd:00:d6:a0:fb:bc:e0:4b:17:c2:c8:2b:f2:97:a0:7a:60:
b5:50:c6:b3:99:55:2d:17:d2:2c:18:3f:11:72:96:24:9d:7a:
fe:9d:fa:33:88:05:49:5e:0c:38:18:9c:87:87:4d:38:52:9e:
c7:07:41:33:fa:c6:af:0f:f6:ab:41:04:a7:e4:51:27:ec:e9:
b2:a9:39:cb:1b:f9:a6:af:b8:ee:a0:d3:c1:b7:3f:aa:34:18:
fb:8f:36:44:2d:65:08:95:f7:03:d1:d2:f3:10:81:3a:15:6c:
9e:f0:f6:38:83:a2:20:f8:f5:5c:4e:0a:f7:21:2b:1f:58:e9:
0e:6a:a1:7f:64:29:03:b1:1f:e8:04:ad:74:bf:a1:a4:c5:bb:
0c:64:f8:fa:18:8f:b4:6c:ef:0f:66:f9:29:4b:b1:b7:29:aa:
87:e3:ed:3e:57:89:19:3b:7c:84:d8:8d:1c:2e:f4:40:fa:cb:
de:61:63:bc:b7:d8:34:ed:7a:29:f2:12:f9:59:85:34:2e:cc:
83:f6:d8:50:68:76:da:55:8d:82:a8:e2:d4:8a:04:74:e8:e6:
a2:ca:80:2a:91:f4:45:67:a5:c1:ae:f7:2b:b6:1f:44:13:01:
c8:13:1e:ea
#Meraki Authentication Radius Certificate #Updated 3 August 2020 -----BEGIN CERTIFICATE----- MIIGuTCCBaGgAwIBAgIRAIz0hSC3I6plIkbgitcHVI4wDQYJKoZIhvcNAQELBQAw gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0yMDA0MjkwMDAwMDBaFw0yMjA4MDEwMDAwMDBaMBwxGjAYBgNVBAMTEXJh ZGl1cy5tZXJha2kuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA 2ck5Svqp6rJVzWsjm2P1E6wX7ldTr04ITRsSNrRLnVmOKsRFazXv+d36bE1atC1f E3Cc5wtj+JW1rS0Qn4x2gonzuXzlJp3yc2GBAQ8fKbeHf3JLzVRx1k/FuCDci9Wg lN2MWkKZkSoqhXmqP1xZd2Bch3LO38T9CTRyx6azr62s3BaoFjTVD7t+a4lymEx1 AErPSEaEA+NMGrWJeRL6i5O9QIaqWwvAbA3416A0u/vrNx85q5l1cgcPGsuaCKNH EzVx5kgFUSj4JuW1ezWqpUly4NA9uVAgFQoXxS5kEI46IduBbNt1B6jFKK8sCi01 i1xFRevf4bn9NYrtluvBJQIDAQABo4IDgDCCA3wwHwYDVR0jBBgwFoAUjYxexFSt iuF36Zv5mwXhuAGNYeEwHQYDVR0OBBYEFMcOaHPpGNdqa4AGu4ENIpXjqL3sMA4G A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUH AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUH AQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp Z29SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUF BzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAzBgNVHREELDAqghFyYWRpdXMu bWVyYWtpLmNvbYIVd3d3LnJhZGl1cy5tZXJha2kuY29tMIIB9AYKKwYBBAHWeQIE AgSCAeQEggHgAd4AdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAA AXHDkVsfAAAEAwBHMEUCIBOmJ/Xr0EAVnDzSkn+0dNHFXh/rhvm7zML44OW85nXH AiEAlJQMQ2VUiVUpBRb3KX3ShaZxngdynDdeqczRBpjgvxwAdgDfpV6raIJPH2yt 7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXHDkVtFAAAEAwBHMEUCIQD65g9zysGJ ayhr+14oYKTrC2q6xqI2vMNjAOuogBosOAIgJ0iCBLOCaeLNnwgFrZLqwL6KevAm SwZDJgnJWcaOnwcAdABvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAA AXHDkVsXAAAEAwBFMEMCHxKXgqVUQy3ZJKS4tKOrxjDMhTMhxmVetU2rSQ0x8TkC IBhfhCfpoekboBPFXFpK2JPG5vxjRGY7TrTOw8k4DGWlAHYAKXm+8J45OSHwVnOf Y6V35b5XfZxgCvj5TV0mXCVdx4QAAAFxw5FbUgAABAMARzBFAiAErdLwH4t3huM2 xuL8scMw8BOYNJpK7FhpxBvxmZZ15gIhAOVwVbUJ+5OAlVYrBdSE015yQkr1DKgC YxCM77A0FREGMA0GCSqGSIb3DQEBCwUAA4IBAQBaP8AwseMzTDxkNcYalzfJXkLp zQDWoPu84EsXwsgr8pegemC1UMazmVUtF9IsGD8RcpYknXr+nfoziAVJXgw4GJyH h004Up7HB0Ez+savD/arQQSn5FEn7OmyqTnLG/mmr7juoNPBtz+qNBj7jzZELWUI lfcD0dLzEIE6FWye8PY4g6Ig+PVcTgr3ISsfWOkOaqF/ZCkDsR/oBK10v6GkxbsM ZPj6GI+0bO8PZvkpS7G3KaqH4+0+V4kZO3yE2I0cLvRA+sveYWO8t9g07Xop8hL5 WYU0LsyD9thQaHbaVY2CqOLUigR06OaiyoAqkfRFZ6XBrvcrth9EEwHIEx7q -----END CERTIFICATE-----