Skip to main content

 

Cisco Meraki Documentation

Meraki Authentication Server Certificate Rotation - Aug 2020

Overview

Due to an approaching certificate expiration Meraki will be rotating the RADIUS server certificate for Meraki Authentication on 3 August 2020.  The following is the expected impact and remediation steps for potential issues.

Meraki Authentication with Sentry Wifi

Users of Meraki Authentication with Systems Manager Sentry Wifi with devices which were online between 1 May 2020 and the rotation date of 3 August 2020 will have no user-visible impact. 

 

Users with devices which were not online during that period simply need to associate to an SSID which will allow them to check in with dashboard for long enough to allow a check-in cycle to complete (~2 minutes) in order to receive the updated payload and resume normal operation

Meraki Authentication without Sentry Wifi

Users of Meraki Authentication without Sentry Wifi will need to 'trust' the new certificate with the below information upon associating to the Meraki Authentication SSID on or after 3 August 2020.  Some devices may require the SSID to be "forgotten" before they will prompt to accept the new certificate.  

 

Host: radius.meraki.com
Issued: Sectigo RSA Domain Validation Secure Server CA
Expires: August 1, 2022

Trusted Access

Users of a Trusted Access configuration to an SSID will need to re-download their device's Trusted Access configuration from portal.meraki.com on or after the 3 August 2020 rotation date. 

Certificate Details

Below is a copy of the certificate which users will be required to accept, as well as the plaintext output from reading the certificate with openssl:

meraki$ openssl x509 -noout -text -in ./new.meraki-auth-radius.cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8c:f4:85:20:b7:23:aa:65:22:46:e0:8a:d7:07:54:8e
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
        Validity
            Not Before: Apr 29 00:00:00 2020 GMT
            Not After : Aug  1 00:00:00 2022 GMT
        Subject: CN=radius.meraki.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:c9:39:4a:fa:a9:ea:b2:55:cd:6b:23:9b:63:
                    f5:13:ac:17:ee:57:53:af:4e:08:4d:1b:12:36:b4:
                    4b:9d:59:8e:2a:c4:45:6b:35:ef:f9:dd:fa:6c:4d:
                    5a:b4:2d:5f:13:70:9c:e7:0b:63:f8:95:b5:ad:2d:
                    10:9f:8c:76:82:89:f3:b9:7c:e5:26:9d:f2:73:61:
                    81:01:0f:1f:29:b7:87:7f:72:4b:cd:54:71:d6:4f:
                    c5:b8:20:dc:8b:d5:a0:94:dd:8c:5a:42:99:91:2a:
                    2a:85:79:aa:3f:5c:59:77:60:5c:87:72:ce:df:c4:
                    fd:09:34:72:c7:a6:b3:af:ad:ac:dc:16:a8:16:34:
                    d5:0f:bb:7e:6b:89:72:98:4c:75:00:4a:cf:48:46:
                    84:03:e3:4c:1a:b5:89:79:12:fa:8b:93:bd:40:86:
                    aa:5b:0b:c0:6c:0d:f8:d7:a0:34:bb:fb:eb:37:1f:
                    39:ab:99:75:72:07:0f:1a:cb:9a:08:a3:47:13:35:
                    71:e6:48:05:51:28:f8:26:e5:b5:7b:35:aa:a5:49:
                    72:e0:d0:3d:b9:50:20:15:0a:17:c5:2e:64:10:8e:
                    3a:21:db:81:6c:db:75:07:a8:c5:28:af:2c:0a:2d:
                    35:8b:5c:45:45:eb:df:e1:b9:fd:35:8a:ed:96:eb:
                    c1:25
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1            X509v3 Subject Key Identifier:
                C7:0E:68:73:E9:18:D7:6A:6B:80:06:BB:81:0D:22:95:E3:A8:BD:EC
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.2.1            Authority Information Access:
                CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.sectigo.com            X509v3 Subject Alternative Name:
                DNS:radius.meraki.com, DNS:www.radius.meraki.com
            1.3.6.1.4.1.11129.2.4.2:
                .......v.F.U.u.. 0...i..}.,At..I.....p.mG...q..[......G0E. ..'...@..<....t..^............u..!....CeT.U)...)}...q..r.7^.........v...^.h.O.l..._N>Z.....j^.;.. D\*s...q..[E.....G0E.!....s...k(k.^(`...j...6..c.....,8. 'H....i.......1.9. ._.'.......\ZJ.....cDf;N....8.e..v.)y...99!.Vs.c.w..W}.`.....E0C......TC-.$......0..3!.e^.M.I
..M]&\%].....q..[R.....G0E. ......w..6.....0...4.J.Xi.....u..!..pU......V+....^rBJ....c....4...
    Signature Algorithm: sha256WithRSAEncryption
         5a:3f:c0:30:b1:e3:33:4c:3c:64:35:c6:1a:97:37:c9:5e:42:
         e9:cd:00:d6:a0:fb:bc:e0:4b:17:c2:c8:2b:f2:97:a0:7a:60:
         b5:50:c6:b3:99:55:2d:17:d2:2c:18:3f:11:72:96:24:9d:7a:
         fe:9d:fa:33:88:05:49:5e:0c:38:18:9c:87:87:4d:38:52:9e:
         c7:07:41:33:fa:c6:af:0f:f6:ab:41:04:a7:e4:51:27:ec:e9:
         b2:a9:39:cb:1b:f9:a6:af:b8:ee:a0:d3:c1:b7:3f:aa:34:18:
         fb:8f:36:44:2d:65:08:95:f7:03:d1:d2:f3:10:81:3a:15:6c:
         9e:f0:f6:38:83:a2:20:f8:f5:5c:4e:0a:f7:21:2b:1f:58:e9:
         0e:6a:a1:7f:64:29:03:b1:1f:e8:04:ad:74:bf:a1:a4:c5:bb:
         0c:64:f8:fa:18:8f:b4:6c:ef:0f:66:f9:29:4b:b1:b7:29:aa:
         87:e3:ed:3e:57:89:19:3b:7c:84:d8:8d:1c:2e:f4:40:fa:cb:
         de:61:63:bc:b7:d8:34:ed:7a:29:f2:12:f9:59:85:34:2e:cc:
         83:f6:d8:50:68:76:da:55:8d:82:a8:e2:d4:8a:04:74:e8:e6:
         a2:ca:80:2a:91:f4:45:67:a5:c1:ae:f7:2b:b6:1f:44:13:01:
         c8:13:1e:ea
#Meraki Authentication Radius Certificate 
#Updated 3 August 2020
-----BEGIN CERTIFICATE-----
MIIGuTCCBaGgAwIBAgIRAIz0hSC3I6plIkbgitcHVI4wDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yMDA0MjkwMDAwMDBaFw0yMjA4MDEwMDAwMDBaMBwxGjAYBgNVBAMTEXJh
ZGl1cy5tZXJha2kuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
2ck5Svqp6rJVzWsjm2P1E6wX7ldTr04ITRsSNrRLnVmOKsRFazXv+d36bE1atC1f
E3Cc5wtj+JW1rS0Qn4x2gonzuXzlJp3yc2GBAQ8fKbeHf3JLzVRx1k/FuCDci9Wg
lN2MWkKZkSoqhXmqP1xZd2Bch3LO38T9CTRyx6azr62s3BaoFjTVD7t+a4lymEx1
AErPSEaEA+NMGrWJeRL6i5O9QIaqWwvAbA3416A0u/vrNx85q5l1cgcPGsuaCKNH
EzVx5kgFUSj4JuW1ezWqpUly4NA9uVAgFQoXxS5kEI46IduBbNt1B6jFKK8sCi01
i1xFRevf4bn9NYrtluvBJQIDAQABo4IDgDCCA3wwHwYDVR0jBBgwFoAUjYxexFSt
iuF36Zv5mwXhuAGNYeEwHQYDVR0OBBYEFMcOaHPpGNdqa4AGu4ENIpXjqL3sMA4G
A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUH
AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUH
AQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp
Z29SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAzBgNVHREELDAqghFyYWRpdXMu
bWVyYWtpLmNvbYIVd3d3LnJhZGl1cy5tZXJha2kuY29tMIIB9AYKKwYBBAHWeQIE
AgSCAeQEggHgAd4AdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAA
AXHDkVsfAAAEAwBHMEUCIBOmJ/Xr0EAVnDzSkn+0dNHFXh/rhvm7zML44OW85nXH
AiEAlJQMQ2VUiVUpBRb3KX3ShaZxngdynDdeqczRBpjgvxwAdgDfpV6raIJPH2yt
7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXHDkVtFAAAEAwBHMEUCIQD65g9zysGJ
ayhr+14oYKTrC2q6xqI2vMNjAOuogBosOAIgJ0iCBLOCaeLNnwgFrZLqwL6KevAm
SwZDJgnJWcaOnwcAdABvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAA
AXHDkVsXAAAEAwBFMEMCHxKXgqVUQy3ZJKS4tKOrxjDMhTMhxmVetU2rSQ0x8TkC
IBhfhCfpoekboBPFXFpK2JPG5vxjRGY7TrTOw8k4DGWlAHYAKXm+8J45OSHwVnOf
Y6V35b5XfZxgCvj5TV0mXCVdx4QAAAFxw5FbUgAABAMARzBFAiAErdLwH4t3huM2
xuL8scMw8BOYNJpK7FhpxBvxmZZ15gIhAOVwVbUJ+5OAlVYrBdSE015yQkr1DKgC
YxCM77A0FREGMA0GCSqGSIb3DQEBCwUAA4IBAQBaP8AwseMzTDxkNcYalzfJXkLp
zQDWoPu84EsXwsgr8pegemC1UMazmVUtF9IsGD8RcpYknXr+nfoziAVJXgw4GJyH
h004Up7HB0Ez+savD/arQQSn5FEn7OmyqTnLG/mmr7juoNPBtz+qNBj7jzZELWUI
lfcD0dLzEIE6FWye8PY4g6Ig+PVcTgr3ISsfWOkOaqF/ZCkDsR/oBK10v6GkxbsM
ZPj6GI+0bO8PZvkpS7G3KaqH4+0+V4kZO3yE2I0cLvRA+sveYWO8t9g07Xop8hL5
WYU0LsyD9thQaHbaVY2CqOLUigR06OaiyoAqkfRFZ6XBrvcrth9EEwHIEx7q
-----END CERTIFICATE-----
  • Was this article helpful?