Certificates for eduroam

eduroam's EAP authentication is secured using X.509 certificates — the same sort of security certificates you use for websites. However, unlike a web server, you shouldn't necessarily rush out and buy a certificate for eduroam…

There are a few ways to create a security certificate you can use for your eduroam RADIUS server, each with the relative pros and cons. You can either use a commercially signed certificate, one signed by an internal CA (e.g. by Active Directory Certificate Services), or use a long-lived self-signed one. The first of these is probably the easiest to do but comes with some security considerations; the last is generally considered best for security but has the additional problem of on-boarding a certificate onto users' devices.

Certificate recommendations

Our recommendation for new deployments is as follows:

  • If you're using Windows NPS and Active Directory, make use of the server certificate that already exists on your RADIUS server. This is signed by AD's enterprise certificatation authority, which is automatically trusted by domain members. You can use eduroam CAT to onboard the AD CA certificate onto other devices. (See how to export the AD CA cert.)

  • If you already have your own internal/institutional certification authority, make use of this to sign a certificate. See eduroam's EAP Server Certificate considerations for information on what this certificate should look like. You can make use of eduroam CAT to onboard your institutional CA certificate onto devices.

  • If you do not have any certificate authority, consider making use of a long-lived self-signed certificate and using eduroam CAT to onboard this onto devices. (FreeRADIUS has a bootstrap script that will automatically create the correct sort of certificate for you.)

  • If you're not comfortable with any of the above options, make use of a commercially signed certificate as a last resort. Note that you should not use a wildcard certificate since this is known to be problematic in some versions of Windows. Remember that TENET has a certificate service available to ac.za holders.

GÉANT (who maintain the global eduroam infrastructure) has published a useful guide on the various options available, and their relative pros and cons as part of their campus best practices project.

eduroam CAT

You'll note that there are several mentioned of eduroam CAT above. This is because eduroam CAT generates customised installers for all major operating systems, allowing your users to configure eduroam correctly by simply running an installer. CAT automatically configures the correct security settings for your users, and is the easiest way to onboard your certificates onto user devices.

You can enrol your institution for CAT via our management interface. You can read about how to use CAT to onboard certificates in the CAT administrator guide.

A note about certificate validation

It is absolutely critical that your users validate the security certificate used for eduroam. This is typically done automatically by their operating system, and eduroam CAT will set things up correctly without your users having to know anything about the process. Without CAT, users may be prompted to check the certificate the first time they connect, and you should publish details of the correct certificate so your users know what to look for.

We've seen a few institutions recommend disabling certificate validation to work around the problem of onboarding a certificate, or to continue using an expired certificate. This is the wrong approach and puts the security of your users' accounts at risk (and thus all the personal and other information they contain). Without certificate validation, a malicious attacker can conduct a man-in-the-middle attack against your users and decrypt their username and password from inside the EAP conversation.

Our monitoring system will let you know if your certificate is about to expire.