...
- The RADIUS/EAP server should send the server certificate and the intermediate(s) below USERTrust RSA Certification Authority. This is typically only one intermediate certificate with names "GEANT OV RSA CA 4" or "Sectigo RSA Organization Validation Secure Server CA"
- When using eduroam CAT as the onboarding tool, include only the root variant of USERTrust RSA Certificate Authority
- WARNING: This shorter root will not seamlessly validate certificates subsequently issued by Sectigo themselves, and you must include the R46 and R36 intermediate certificates provided with your server certificate in your profile.
HARICA certificates issued by the GÉANT Certificate Service
HARICA is the CA backing the GÉANT Certificate Service since January 2025. The server certificate issued by the service comes with the GEANT intermediate certificate. It is recommended to also add the Cross Certificate from HARICA Root CA 2015 to 2021 as a second intermediate certificate to the RADIUS server after the GÉANT intermediate certificate. This way, supplicants with knowledge of only the Root CA 2015 could still connect securely. However, it is recommended to put only the HARICA TLS Root CA 2021 to eduroam CAT for usage during onboarding.
In summary:
- The RADIUS/EAP server should send the server certificate, the HARICA GEANT TLS intermediate certificate and the Cross Certificate from HARICA Root CA 2015 to 2021 as second intermediate certificate
- ECC certificates: GEANT.pem (GEANT.txt) Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.pem (Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.txt)
- RSA certificates: GEANT.pem (GEANT.txt) Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.pem (Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.txt)
- When using eduroam CAT as the onboarding tool, upload the HARICA TLS Root CA 2021 to CAT
- ECC: Root-CA.pem (Root-CA.txt)
- RSA: Root-CA.pem (Root-CA.txt)
Consideration 2: Recommended certificate properties
...