"Verify Certificate" when connecting to corporate WiFi in Big Sur

bearzooka
Contributor

So we are getting this prompt to verify the certificate that is used to connect to the corporate WiFi.

b2c61e1486304c198a05a56019bd99a1

It has happened on devices that were already using that network before the upgrade to Big Sur, and also to devices that are connecting to it for the first time.

We verified and the RootCA that is part of the trust was already in the Keychain, added with a config profile.

So I have two questions:

  • Is this dialog something new and an expected behaviour?
  • Is there a way to pre-approve this so users won't get this dialog?
8 REPLIES 8

andrew_nicholas
Valued Contributor

We're seeing this as well now that we can test some devices in office, though I've not delved farther than the immediate of config profile scoping being correct.

NateES
New Contributor III

Do your certificates meet the requirements outlined in Apple's Requirements for trusted certificates in iOS 13 and macOS 10.15?
In short:
• RSA Key Sizes ≥ 2048 bits
• SHA-2 hash signatures
• DNS name of server in Subject Alternative Name extension

• Server cert contains ExtendedKeyUsage extension containing id-kp-serverAUTH OID
• Server cert valid for ≤ 825 days (Your expiration date appears to be beyond this date)

jkryklywec
New Contributor III

We are also seeing the same things, the certs work fine without user interaction in 10.15 but in 10.16/11.x user now needs to select wifi and then auth as admin to trust cert twice to connect, same cert that works in 10.15 so does meet requirements. this will be an issue for those returning to office on Big Sur and whenever machine certs renew every year

matthias_bretz
New Contributor III

Are you deploying the server-cert or are you just relying on the trust chain? We had similar issues since iOS 13 so we are deploying the server-cert together with the other radius information and selected it under "Trusted Certificates". Had no issues with this in Big Sur so far (11.0.1).

andrew_nicholas
Valued Contributor

The main thing that seems to be sticking out is that on Big Sur, if you expand the Trust section, the certificate is asking to change two values to Always Trust from Use System Defaults.

nadim_ahmed
New Contributor

Has anyone managed to find a fix for this? We are also experiencing the same issue, seems like a server cert is being requested to be verified. We didn't see this with Catalina devices.

nadim_ahmed
New Contributor

Managed to fix this, although the Root & Issuing Cert is trusted, it wasn't selected to be trusted on the network payload within our SCEP config profile. Trusting via config profile and re deploying resolves the issue. Although now i have over 1500 certs to re deploy :(

alexjdale
Valued Contributor III

Has anyone found another solution besides hard-coding the server certificate? If we have to include the cert file in the SCEP profile with our network configs, that means we are now bound by that certificates expiration date when it comes to renewals, and we have to redeploy the profile to all 10k Macs when we renew the server cert. So even if a device was provisioned the day before, it's getting a new profile and machine cert. Our team managing the SCEP server will freak out if I tell them I need to issue 10k certs all at once.

And since wired 802.1x requires the ethernet dongle to be attached, if we push the profile when it's not connected, that breaks Ethernet for that device.

I don't understand why setting the trust for the server cert on the System keychain isn't working. Is anyone having a better experience here?