...
- The RADIUS/EAP server should send the server certificate and the intermediate(s) below USERTrust RSA Certification Authority. This is typically only one intermediate certificate with names "GEANT OV RSA CA 4" or "Sectigo RSA Organization Validation Secure Server CA"
- When using eduroam CAT as the onboarding tool, include only the root variant of USERTrust RSA Certificate Authority
- WARNING: This shorter root will not seamlessly validate certificates subsequently issued by Sectigo themselves, and you must include the R46 and R36 intermediate certificates provided with your server certificate in your profile.
HARICA certificates issued by the GÉANT Certificate Service
HARICA is the CA backing the GÉANT Certificate Service since January 2025. The server certificate issued by the service comes with the GEANT intermediate certificate. It is recommended to also add the Cross Certificate from HARICA Root CA 2015 to 2021 as a second intermediate certificate to the RADIUS server after the GÉANT intermediate certificate. This way, supplicants with knowledge of only the Root CA 2015 could still connect securely. However, it is recommended to put only the HARICA TLS Root CA 2021 to eduroam CAT for usage during onboarding.
In summary:
- The RADIUS/EAP server should send the server certificate, the HARICA GEANT TLS intermediate certificate and the Cross Certificate from HARICA Root CA 2015 to 2021 as second intermediate certificate
- ECC certificates: GEANT.pem (GEANT.txt) Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.pem (Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.txt)
- RSA certificates: GEANT.pem (GEANT.txt) Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.pem (Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.txt)
- When using eduroam CAT as the onboarding tool, upload the HARICA TLS Root CA 2021 to CAT
- ECC: Root-CA.pem (Root-CA.txt)
- RSA: Root-CA.pem (Root-CA.txt)
Consideration 2: Recommended certificate properties
...
| Property | Content | Remarks |
|---|---|---|
| X.509 version | 3 | The CA certificate should be an X.509v3 certificate. |
| Server name (commonName in the Subject) | parses as fully-qualified domain name | Server certificates with spaces in the common name (CN), e.g. "RADIUS Service of Foo University" are known to be problematic with some supplicants, one example being Apple iOS 6.x. |
| Server name | Subject/CN == SubjectAltName:DNS | Some supplicants only consult the CN when checking the name of an incoming server certificate (Windows 8 with PEAP); some check either of the two; some new EAP types such as TEAP, and Linux clients configured by CAT 1.1.2+ will only check SubjectAltName:DNS. Keeping the desired name in both fields in sync is a safe bet for futureproofness. Only use one CN. If you have multiple RADIUS servers, either use the same certificate for all of them (there is no need for the name to match the DNS name of the machine it is running on), or generate multiple certificates, each with one CN/subjectAltName:DNS pair. In the case of multiple certificates, make sure you add a SubjectAltName in the Extended Key Usage extension that is common between all of them, so that you can use it in the eduroam CAT profile. Make sure the case of the Subject/CN and the SubjectAltName matches, e.g. "CN=servername.org" and "DNS:Servername.org" do not match (despite being effectively identical in DNS). Android 12 is known to be picky about this. |
| Server name | not a wildcard name (e.g "*.someidp.tld") | Some supplicants exhibit undefined/buggy behaviour when attempting to parse incoming certificates with a wildcard. Windows 8 and 8.1 are known to choke on wildcard certificates, and it is difficult to use the defined wildcard CN in the eduroam CAT profile. |
| Signature algorithm | Minimum: SHA-256 Recommended: SHA-256 or higher | Server certificates signed with the signature algorithm MD5 are considered invalid by many modern operating systems, e.g. Apple iOS 6.x and above. Windows 8.1 and all previous versions of Windows (8, 7, Vista) which are on their latest patch levels will not validate such certificates either. Having a server certificate (or an intermediate CA certificate) with MD5 signature will create problems on these operating systems. Apparently, no operating system as of yet has an issue with the root CA being self-signed with MD5. This may change at any point in the future though; when creating a new CA infrastructure, ensure that you do not use MD5 as signature algorithm anywhere. The continued use of SHA-1 as a signature algorithm is not recommended, because several operating systems and browser vendors already have a deprecation policy for SHA-1 support. It is now the case that system libraries and operating system APIs are starting to penalise the use of SHA-1, e.g. Android 12 is known to block certificates signed with SHA-1. Therefore, for new certificates, SHA-256 is recommended to avoid problems with the certificate in the future. |
| Key Algorithm | Minimum: RSA Recommended: ECC | RSA certificates (so named after the key algorithm of the key material in the certificate) have long been the standard for certificates across the world. However, as key sizes (below) grow, so does the certificate size. As the certificate sizes increases, the chances of RADIUS packets being fragmented increase, which in turn causes issues with some firewalls performing packet or SSL/TLS inspection and UDP fragment DDoS protection (Microsoft Azure cloud services for example will throw away UDP packets when packet fragments do not arrive in the specific order that they should be reassembled in). The vast majority of modern devices and operating systems support ECC certificates (also known as ECDSA certificates). ECC certificates are based on elliptic curve cryptography (hence the name), which uses maths behind defining specific curves to generate keys, which in turn are a lot smaller (but not less secure than large RSA keys) and are less likely to suffer from fragmentation. If your users are all using modern devices (Android 8, Windows 8, iOS 9 and above), you probably can/should change your server certificate to one using ECC, even if the root certificate is an RSA certificate. |
| Length of public key (applicable to RSA certificates) | Minimum: 2048-bit Recommended: 3072-bit or higher | Server certificates with a length of the public key below 1024 bits are considered invalid by some recent operating systems, e.g. Windows 7 and above. Having a server certificate (or an intermediate CA certificate) with a too small public key will create problems on these operating systems. The continued use of 1024-bit length keys is not recommended, because several operating systems and browser vendors already have a deprecation policy for this key length. While the deprecation in browser-based scenarios does not have an immediate impact on EAP server usage, it is possible that system libraries and operating system APIs will over time penalise the use of short key lengths. A 2048-bit key length is the most popular and default choice these days. However, some applications already suggest 3072 bits or more, and a longer key length does not have an extra cost (other than certificate size). It is recommended to create new certificates with 3072-bit keys or higher (4096-bit lengths have been tested and is also unproblematic) to avoid problems with the certificate in the future. |
| Extension: Extended Key Usage | TLS Web Server Authentication | Even though the certificate is used for EAP purposes, some popular operating systems (i.e. Windows XP and above) require the certificate extension "TLS Web Server Authentication" (OID: 1.3.6.1.5.5.7.3.1) to be present. Having a server certificate without this extension will create problems on these operating systems. |
| Extension: CRL Distribution Point | HTTP/HTTPS URI pointing to a valid CRL | Few very recent operating systems require this extension to be present; otherwise, the certificate is considered invalid. Currently, Windows Phone 8 is known to require this extension; Windows 8 can be configured to require it. These operating systems appear to only require the extension to be present; they don't actually seem to download the CRL from that URL and check the certificate against it. One might be tempted to fill the certificate extension with a random garbage (or intranet-only) URL which does not actually yield a CRL; however this would make the certificate invalid for all operating systems which do evaluate the extension if present. So the URL should be a valid one. |
| Extension: BasicConstraint (critical) | CA:FALSE | Server certificates must be marked as not being a CA. Omitting the BasicConstraint:CA totally is known to cause certificate validation to fail with Mac OS X 10.8 (Mountain Lion); setting it to TRUE is a security issue in itself. Always set the BasicConstraint "CA" to false, and mark the extension as critical, where possible. On Windows, the built-in certificate authority has a bug in that if you want to mark the BasicConstraint extension as critical, it will also set pathlen=0, which is not RFC-compliant and subsequently causes issues. If you use a Windows Certificate Authority, do not mark the BasicConstraint extension as critical in your certificate request. |
| Certificate Type | Domain-Validated (DV) or Organisation-Validated (OV) | There have been several reports that ChromeOS will refuse to accept Extended Validation (EV) certificates. You should avoid these types of certificates if you care about this operating system. |
| Validity Time | 825 days or fewer | Apple products as of macOS 10.15+ and iOS 13+ enforce this limit and consider certificates with a longer lifetime as untrusted. See also this Apple article for more information., or read about Michal Spacek's investigation and experience (granted, with Safari, but it apparently also applies to iDevices) at his blog: Michal Spacek: The validity period of user added CA certificates is 2 years |
Consideration 3: Which certificates to send in the EAP exchange
...