Meraki Authentication Server Certificate Rotation - July 2022
Overview
Due to an approaching certificate expiration Meraki will be rotating the RADIUS server certificate for Meraki Authentication on 29 July 2022. The following is the expected impact and remediation steps for potential issues.
Meraki Authentication with Sentry Wifi
Users of Meraki Authentication with Systems Manager Sentry Wifi with devices which were online between 1 May 2022 and the rotation date of 29 July 2022 will have no user-visible impact.
Users with devices which were not online during that period simply need to associate to an SSID which will allow them to check in with dashboard for long enough to allow a check-in cycle to complete (~2 minutes) in order to receive the updated payload and resume normal operation
Meraki Authentication without Sentry Wifi
Users of Meraki Authentication without Sentry Wifi will need to 'trust' the new certificate with the below information upon associating to the Meraki Authentication SSID on or after 29 July 2022. Some devices may require the SSID to be "forgotten" before they will prompt to accept the new certificate.
Host: radius.meraki.com
Issued: DigiCert TLS RSA SHA256 2020 CA1
Expires: 8 February 2023
Trusted Access
Users of a Trusted Access configuration to an SSID will need to re-download their device's Trusted Access configuration from portal.meraki.com on or after the 29 July 2022 rotation date.
Certificate Details
Below is a copy of the certificate which users will be required to accept, as well as the plaintext output from reading the certificate with openssl:
meraki$ openssl x509 -noout -text -in ./new.meraki-auth-radius.cert Certificate: Data: Version: 3 (0x2) Serial Number: 0e:1c:da:90:04:bf:09:11:2d:68:d3:fc:36:3c:13:bf Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 Validity Not Before: Feb 9 00:00:00 2022 GMT Not After : Feb 8 23:59:59 2023 GMT Subject: C = US, ST = California, L = San Francisco, O = Meraki LLC, CN = radius.meraki.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:c3:f1:7e:d6:79:02:49:8e:7e:31:4b:0b:f2:6e: 08:62:13:42:2f:87:05:e4:24:0e:cd:07:61:5e:eb: d6:39:25:33:d1:9a:b6:e9:39:37:ba:d2:77:ae:7d: c9:c9:e3:e6:27:5d:01:6f:12:92:0b:49:cf:be:33: 26:8b:ac:c7:bd:61:33:60:b6:92:03:89:58:c6:ad: 63:f1:14:77:81:8e:dc:b3:6a:7a:5b:26:d3:32:ac: 3d:a3:94:25:22:a4:93:f3:3e:c8:b8:c1:fa:d1:83: 88:aa:97:53:db:7c:c8:33:05:32:a1:2d:1e:75:cd: 14:2a:31:31:e1:5a:3d:1a:bd:7e:33:df:e7:09:17: c0:5e:1b:a8:16:1d:ef:05:85:9b:48:cc:4e:c6:7b: 1d:70:4b:fc:5e:33:d3:9e:14:af:06:0d:5d:4c:de: f4:7c:33:86:65:ce:92:59:1b:36:2d:bf:a3:f5:8e: 49:ed:36:45:fd:9c:66:a1:fe:a7:02:c1:41:4d:d8: 41:6b:26:78:21:f0:35:d4:91:79:77:d1:60:0f:e6: a2:ea:01:95:11:09:b8:f9:fd:0d:e8:cf:57:2d:e5: 02:85:fe:04:3f:dd:1e:27:de:03:19:65:77:64:25: ef:6b:44:49:d3:10:e2:22:61:ef:30:a7:d4:6f:ca: 7c:eb:df:b8:9b:91:ff:6c:20:48:52:50:ab:df:fe: d8:8d:5e:dd:b9:e5:36:b8:05:be:cf:32:d2:bd:04: ef:b4:dd:d9:59:a2:6b:cf:d5:2f:27:6c:42:3f:05: b2:ad:97:29:a7:3d:9e:5a:9e:f3:0c:20:73:da:35: 22:c0:99:04:f8:17:66:93:ab:67:18:33:3c:8b:12: 60:77:e4:e9:98:62:41:ef:59:0e:e5:80:18:19:01: 19:30:8f:00:56:f0:ac:de:04:13:d7:64:67:4d:54: a4:71:3e:68:32:fb:be:a0:d1:ea:78:2a:f5:52:68: 48:b6:ce:63:70:40:6d:f0:75:5c:d1:ec:ad:4b:60: 10:07:3b:8a:89:ee:5b:b6:a5:47:de:ea:0c:46:d3: 0e:7e:bf:6c:85:15:6f:f2:08:28:b5:b1:fd:b2:00: 9b:3f:1f:21:77:20:f4:ec:bf:9a:ec:7a:60:9d:fd: e6:d7:eb:8b:2a:12:6b:09:27:10:4d:1d:f1:8b:5f: e7:a1:5d:0c:b3:b8:13:4c:2c:68:4b:05:07:a9:be: c9:0c:fd:7a:f6:95:74:ff:a7:d6:ba:70:e4:88:1e: 47:d7:3b:ff:9b:d3:0c:40:f0:9e:4a:95:7d:2f:9a: 8f:45:0e:ce:72:97:6c:fd:70:a6:c5:0a:64:18:14: 51:47:5d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4 X509v3 Subject Key Identifier: 1A:40:6A:A1:08:6A:83:BF:96:F6:4F:AE:6D:9E:8D:AB:A4:EE:68:83 X509v3 Subject Alternative Name: DNS:radius.meraki.com X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl Full Name: URI:http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt X509v3 Basic Constraints: CA:FALSE CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1(0) Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A: B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A Timestamp : Feb 9 22:21:09.739 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:25:D5:58:88:33:91:63:17:96:27:29:97: 1F:EF:E2:C7:06:2A:25:49:2F:BB:4D:A2:FE:C6:4F:D4: B3:7B:F7:DE:02:20:76:16:7D:13:C7:84:44:BE:5D:11: CB:F6:1E:20:E6:5D:BB:C6:9C:E7:31:41:35:CF:E2:FB: CA:0B:20:A0:DB:25 Signed Certificate Timestamp: Version : v1(0) Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB: B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C Timestamp : Feb 9 22:21:09.729 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:10:99:24:71:3E:9A:DA:8B:8A:90:00:F1: F6:5E:FD:3E:97:93:21:8C:5C:9A:9D:B8:7E:BD:4B:B1: F4:B1:EE:A0:02:21:00:AE:23:5A:00:0B:F1:C3:92:73: B6:70:B1:02:D8:73:A3:40:76:42:30:E5:8D:58:37:6F: 24:FF:28:EB:15:CF:52 Signed Certificate Timestamp: Version : v1(0) Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09: 4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A Timestamp : Feb 9 22:21:09.773 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:B6:9A:78:64:7B:86:40:7D:45:7E:60: 07:EF:35:D8:EE:AA:62:D6:30:B3:A1:FD:CD:68:0F:00: BD:D3:C0:02:D1:02:21:00:81:DE:FE:6F:A7:D0:84:C2: C0:71:C4:14:C4:D3:8F:6F:2E:AA:5A:4F:07:4F:35:D2: C2:29:3B:44:B9:6F:E7:D0 Signature Algorithm: sha256WithRSAEncryption ba:53:1f:d4:66:77:76:ce:c0:2f:27:50:79:87:8c:b5:45:aa: 5a:6b:eb:03:95:77:8f:4e:85:01:f5:f5:f1:61:96:93:a2:98: b6:52:40:09:14:cc:4a:3e:1c:5a:3c:57:a9:70:89:4b:43:28: b3:bc:14:08:ff:5c:0c:9a:ed:de:92:42:0a:bc:9f:42:d7:44: c0:f2:4f:70:c5:c4:a2:d5:da:f4:68:bf:6e:57:27:b4:4b:dc: 34:15:54:45:ce:89:f1:d2:28:89:52:73:42:73:d5:c9:36:3c: 1f:46:c4:9d:b1:5c:b5:a9:b9:e4:ed:39:f6:b7:88:d8:7e:68: f9:7c:a5:83:e0:a2:f5:0b:c5:06:76:f0:5b:54:29:0b:8f:3d: dd:e1:d5:b8:50:56:79:b7:89:18:a7:23:09:04:f0:1e:f4:4f: bc:d7:37:b5:9a:28:76:f7:85:34:6c:22:fc:aa:8b:1a:55:76: c0:39:dc:bf:05:e0:3c:e3:db:5a:3a:41:49:0d:4f:cd:61:f6: 3c:82:43:55:7f:98:53:42:79:26:0b:74:91:65:be:d1:94:16: e0:0e:8d:a8:80:ae:b1:8f:1c:78:d9:d8:b7:1b:af:f5:94:83: 9a:3a:cf:1d:e0:f2:85:26:7e:3a:e9:60:af:e6:e9:2b:06:80: 56:ae:38:2c
#Meraki Authentication Radius Certificate #Updated 29 July 2022 -----BEGIN CERTIFICATE----- MIIHtzCCBp+gAwIBAgIQDhzakAS/CREtaNP8NjwTvzANBgkqhkiG9w0BAQsFADBP MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAyMDkwMDAwMDBa Fw0yMzAyMDgyMzU5NTlaMGsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKEwpNZXJha2kgTExD MRowGAYDVQQDExFyYWRpdXMubWVyYWtpLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBAMPxftZ5AkmOfjFLC/JuCGITQi+HBeQkDs0HYV7r1jklM9Ga tuk5N7rSd659ycnj5iddAW8SkgtJz74zJousx71hM2C2kgOJWMatY/EUd4GO3LNq elsm0zKsPaOUJSKkk/M+yLjB+tGDiKqXU9t8yDMFMqEtHnXNFCoxMeFaPRq9fjPf 5wkXwF4bqBYd7wWFm0jMTsZ7HXBL/F4z054UrwYNXUze9HwzhmXOklkbNi2/o/WO Se02Rf2cZqH+pwLBQU3YQWsmeCHwNdSReXfRYA/mouoBlREJuPn9DejPVy3lAoX+ BD/dHifeAxlld2Ql72tESdMQ4iJh7zCn1G/KfOvfuJuR/2wgSFJQq9/+2I1e3bnl NrgFvs8y0r0E77Td2Vmia8/VLydsQj8Fsq2XKac9nlqe8wwgc9o1IsCZBPgXZpOr ZxgzPIsSYHfk6ZhiQe9ZDuWAGBkBGTCPAFbwrN4EE9dkZ01UpHE+aDL7vqDR6ngq 9VJoSLbOY3BAbfB1XNHsrUtgEAc7ionuW7alR97qDEbTDn6/bIUVb/IIKLWx/bIA mz8fIXcg9Oy/mux6YJ395tfriyoSawknEE0d8Ytf56FdDLO4E0wsaEsFB6m+yQz9 evaVdP+n1rpw5IgeR9c7/5vTDEDwnkqVfS+aj0UOznKXbP1wpsUKZBgUUUddAgMB AAGjggNxMIIDbTAfBgNVHSMEGDAWgBS3a6LqqKqEjHnqtNoPmLLFlXa59DAdBgNV HQ4EFgQUGkBqoQhqg7+W9k+ubZ6Nq6TuaIMwHAYDVR0RBBUwE4IRcmFkaXVzLm1l cmFraS5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr BgEFBQcDAjCBjwYDVR0fBIGHMIGEMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2Vy dC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTQuY3JsMECgPqA8hjpo dHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIw Q0ExLTQuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0 dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzB/BggrBgEFBQcBAQRzMHEwJAYIKwYB BQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcwAoY9aHR0 cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAy MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgA dQCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAX7gk37rAAAEAwBG MEQCICXVWIgzkWMXlicplx/v4scGKiVJL7tNov7GT9Sze/feAiB2Fn0Tx4REvl0R y/YeIOZdu8ac5zFBNc/i+8oLIKDbJQB2ADXPGRu/sWxXvw+tTG1Cy7u2JyAmUeo/ 4SrvqAPDO9ZMAAABfuCTfuEAAAQDAEcwRQIgEJkkcT6a2ouKkADx9l79PpeTIYxc mp24fr1LsfSx7qACIQCuI1oAC/HDknO2cLEC2HOjQHZCMOWNWDdvJP8o6xXPUgB3 ALNzdwfhhFD4Y4bWBancEQlKeS2xZwwLh9zwAw55NqWaAAABfuCTfw0AAAQDAEgw RgIhALaaeGR7hkB9RX5gB+812O6qYtYws6H9zWgPAL3TwALRAiEAgd7+b6fQhMLA ccQUxNOPby6qWk8HTzXSwik7RLlv59AwDQYJKoZIhvcNAQELBQADggEBALpTH9Rm d3bOwC8nUHmHjLVFqlpr6wOVd49OhQH19fFhlpOimLZSQAkUzEo+HFo8V6lwiUtD KLO8FAj/XAya7d6SQgq8n0LXRMDyT3DFxKLV2vRov25XJ7RL3DQVVEXOifHSKIlS c0Jz1ck2PB9GxJ2xXLWpueTtOfa3iNh+aPl8pYPgovULxQZ28FtUKQuPPd3h1bhQ Vnm3iRinIwkE8B70T7zXN7WaKHb3hTRsIvyqixpVdsA53L8F4Dzj21o6QUkNT81h 9jyCQ1V/mFNCeSYLdJFlvtGUFuAOjaiArrGPHHjZ2Lcbr/WUg5o6zx3g8oUmfjrp YK/m6SsGgFauOCw= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6 ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E A7sKPPcw7+uvTPyLNhBzPvOk -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE-----