The security certificate currently in use by the Dukeblue wireless network expires on May 30, 2020. A new Duke-signed certificate will be put in its place on May 20, 2020. Computers must have a Duke root certificate authority added to their Trusted Root Certification Authority store before they will be able to connect to Dukeblue using the new certificate. Duke University managed computers can receive the new certificate in a few different ways, some of which also include full wireless profiles that auto-connect and provide additional functionality and security.
Certificate and Profile
Active Directory Group Policy (Windows)
The DU-GLOBAL_Dukeblue_Profile Group Policy Object will install a Dukeblue profile and the certificates necessary to connect to Dukeblue both before May 20 and after. This GPO is the older and widely-used “CDSS-Dukeblue” policy, updated with the new certificate and renamed. If you had applied the older CDSS GPO, you have nothing to do; this policy now applies in its place. If you had not, simply link this GPO to your Active Directory OU and any computers within will receive the profile and certificates the next time they’re on the Duke network (either via VPN or IRL).
Jamf Pro Configuration Profile (macOS)
This Template Configuration Profile, once downloaded and uploaded into your Jamf Pro site, will create a Configuration Profile with a Dukeblue network payload and certificate payloads for the old and new certificates. If you have not already deployed a Dukeblue Configuration Profile to your supported macOS devices, you can upload this file, rename the Profile, set a Scope, and you’re done! If you are already deploying a Dukeblue Configuration Profile, you’re already set: the new certificate has already been added to all existing Dukeblue Configuration Profiles in Duke Jamf Pro with the edited Profile re-distributed to all previous computers in scope.
Certificate Only
Active Directory Group Policy (Windows)
The DU-GLOBAL_Dukeblue+eduroam_cert_root Group Policy Object only installs the new certificate root needed to connect to Dukeblue. Once installed, computers will be able to trust the new Dukeblue certificate and connect after the certificate is updated on May 20, 2020. As with the other GPO, link this GPO to your Active Directory OU and any computers within will receive the certificates the next time they’re on the Duke network (either via VPN or IRL).
BigFix (Windows and macOS)
The DU-GLOBAL – Install Dukeblue and eduroam certificate root Task is relevant for all Windows and macOS computers and will install the new certificate root needed to connect to Dukeblue. Once installed, computers will be able to trust the new Dukeblue certificate and connect after the certificate is updated on May 20, 2020. While installing certificates is fairly straightforward, identifying installed certificates is not. As such, this BigFix Task will remain relevant for all Windows and macOS computers even after the Task has been successfully run. We’re looking in to ways to accurately report on the current certificate state but, in the meantime, there is no harm in pushing this Task to a computer that already has the certificate.
Manual (All platforms)
This archive file contains two scripts–one .BAT for Windows and one .SH for macOS–that (when run as Admin/root) will create and install the new Dukeblue root certificate into the Trusted Root Certification Authority store. Run the appropriate script in an elevated Windows Command Prompt or as sudo in macOS Terminal and you’re good to go. If you’re determined to do things yourself, you can also download the certificate itself and install it by whatever means you see fit.
