Certificates for eduroam


eduroam's EAP authentication is secured using X.509 certificates — the same sort of security certificates you use for websites. However, unlike a web server, you shouldn't necessarily rush out and buy a certificate for eduroam…


There are a few ways to create a security certificate you can use for your eduroam RADIUS server, each with the relative pros and cons. You can either use a commercially signed certificate, one signed by an internal CA (e.g. by Active Directory Certificate Services), or use a long-lived self-signed one. The first of these is probably the easiest to do but comes with some security considerations; the last is generally considered best for security but has the additional problem of on-boarding a certificate onto users' devices.


Certificate recommendations


Our recommendation for new deployments is as follows:



  • If you're using Windows NPS and Active Directory, make use of the server certificate that already exists on your RADIUS server. This is signed by AD's enterprise certificatation authority, which is automatically trusted by domain members. You can use eduroam CAT to onboard the AD CA certificate onto other devices. (See how to export the AD CA cert.)


  • If you already have your own internal/institutional certification authority, make use of this to sign a certificate. See eduroam's EAP Server Certificate considerations for information on what this certificate should look like. You can make use of eduroam CAT to onboard your institutional CA certificate onto devices.


  • If you do not have any certificate authority, consider making use of a long-lived self-signed certificate and using eduroam CAT to onboard this onto devices. (FreeRADIUS has a bootstrap script that will automatically create the correct sort of certificate for you.)


  • If you're not comfortable with any of the above options, make use of a commercially signed certificate as a last resort. Note that you should not use a wildcard certificate since this is known to be problematic in some versions of Microsoft Windows. Remember that TENET has a certificate service available to ac.za holders.


GÉANT (who maintain the global eduroam infrastructure) has published a useful guide on the various options available, and their relative pros and cons as part of their campus best practices project.


eduroam CAT


You'll note that there are several mentioned of eduroam CAT above. This is because eduroam CAT generates customised installers for all major operating systems, allowing your users to configure eduroam correctly by simply running an installer. CAT automatically configures the correct security settings for your users, and is the easiest way to onboard your certificates onto user devices.


You can enrol your institution for CAT via our management interface. You can read about how to use CAT to onboard certificates in the CAT administrator guide.


A note about certificate validation


It is absolutely critical that your users validate the security certificate used for eduroam. This is typically done automatically by their operating system, and eduroam CAT will set things up correctly without your users having to know anything about the process. Without CAT, users may be prompted to check the certificate the first time they connect, and you should publish details of the correct certificate so your users know what to look for.


We've seen a few institutions recommend disabling certificate validation to work around the problem of onboarding a certificate, or to continue using an expired certificate. This is the wrong approach and puts the security of your users' accounts at risk (and thus all the personal and other information they contain or have access to). Without certificate validation, a malicious attacker can conduct a man-in-the-middle attack against your users and decrypt their username and password from inside the EAP conversation.


Our monitoring system will let you know if your certificate is about to expire.


Certificate renewals and rollovers


From time to time it may be necessary to renew or roll over the certificate you use for eduroam.


Certificate renewals are generally relatively painless — if you've anchored your installation on a CA certificate and you continue to use a certificate signed by the same certification authority with the same common name (as is typical with a commercial certificate renewal), most operating systems will accept the new certificate without any problems. We are aware of at least one, Apple iOS, that will prompt users to reaffirm acceptance of the certificate, but most users will probably not even be aware of the renewal.


If, however, you need to change the certification authority you use or have a self-signed certificate that is expiring, you need to plan a proper certificate roll over. This can take some time to get right, and we recommend planning for it at least six months in advance — you may, for instance, want to time it to coincide with a change in the academic year to minimise the impact on your help desk.


Fortunately, eduroam CAT can also help with this, as it will allow you to embed both an old and a new certificate within the installer. If you update your CAT installers well in advance of the anticipated change, you can greatly reduce the impact of this change.