ChromeOS: CA-Certificate will not be configured (tested for EAP-TTLS)

[Lukas-UAUX]

As I have been told on cat-users the new app should be compatible with ChromeOS as well - and it does configure a working eduroam connection. But it does not seem to set the correct CA-Certificate which would make the configuration is (from a security standpoint) unusable.

As I already had similar experiences with other configuration methods this is probably due to problem within ChromeOS when trying to install a already known "Trusted Root CA" (CA-Forum).

I can kinda force the installation when using "the wrong" tab for server certificates in chrome://certifcate-manager - which results in it being listed under the CA-Tab where I can set that its trust level to websites. Than it becomes available for the Wifi configuration as well...

Does it work when using a self-signed certificate? Is it just a GUI issue and the CA is actually configured correctly in the background?

Could setting it to "Default" (instead of do not check) be at least workaround for users of Trusted CAs? Do I understand it correctly that it verifies the subject-match against all installed CAs, same as a webbrowser?

[pauldekkers]

I'm very sure we tested this during development, and I just tried to confirm this issue for you, but I can't.

I deployed a profile with one CA, and after switching to a different CA server-side I was unable to authenticate. Which is what I would expect, and what makes this secure. So I'm quite sure the mutual authentication is configured properly on the client. We also tested changes in the certificate subject and support with multiple CAs offered from the profile and what not.

What may be the case is that you don't see the CA settings represented in the UI. There's nothing we can do about that, but for one thing the Android UI elements don't allow to display multiple names/values, while the App is perfectly able to configure this via the APIs.