Updating PEAP-MS-CHAP v2 certificate to comply to Certificate Transparency

0

I am a high school student where our school wifi uses PEAP-MS-CHAPv2 based WPA2 Enterprise. On macOS Mojave, the OS mandates certificate transparency (and terminates all TLS connections that tries to use certificates which don't comply to apple's policy), which makes certain WPA2 Enterprise networks unconnectable. I have once asked a way to turn off certificate transparency checks, but I couldn't get an answer.

I'm not sure if I have understood the authentication process enough, but what I understood is that the part that uses TLS certificates in the WPA2 Enterprise authentication process is the PEAP process.

  1. Is this correct? Is the TLS certificate used in the PEAP process?
  2. Is there any way (in general) to allow certain certificates to bypass the check?
  3. I would like to request out network administrator to update the Wifi certificates, but I am not sure how to update the certificates to comply to Apple's policy. Apple's policy talks about needing SCTs issued from CTs, but I am not sure how to get them. How should the certificate be updated?

조성빈

Posted 2019-06-02T03:54:29.490

Reputation: 1

Certificate Transparency only applies to publicly trusted certificates. That is, ones which are created by commercial CAs, such as DigiCert, Entrust etc. Does your network use such a certificate? It does not apply to private CAs and self-signed certificates. – garethTheRed – 2019-06-02T06:39:27.920

@garethTheRed Looking at the certificate, it says the certificate is issued by SecureDataSystems (which doesn’t look like a commercial CA). Then, does that mean that the certificate isn’t being affected by CT? – 조성빈 – 2019-06-02T06:43:30.673

It seems that whoever they are, they're not in the CT logs.

– garethTheRed – 2019-06-02T06:47:11.080

@garethTheRed Ah, then maybe it’s only the certificate expire date that’s being the problem? (The certificate was expired a long, long time ago...) – 조성빈 – 2019-06-02T06:49:37.937

I would always start with the simple option first ;-) – garethTheRed – 2019-06-02T07:50:32.327

Yeah, thanks! I was... well cautious as asking the network administrator to update the certificate is a hard task :-( Thanks for clarifying! – 조성빈 – 2019-06-02T07:52:13.470

No answers

Asked: 2019-06-02T03:54:29.490

Viewed: 125 times

Active: 2019-06-02T03:54:29.490