Released: 20/12/2024 (Updated 21/12/2024)

This advisory is relevant only to organisations using the Jisc Certificate Service (generally via the Sectigo portal) for Comodo/USERTrust/GEANT CA certificates for RADIUS servers. Organisations using commercial CA certificates or their own Certification Authority may safely ignore this advisory. Urgent action is recommended before 9th January 2025.

Contents

• Summary of recommended action
• Background, key points and implications
• Recommended transition plan and actions
• Support

Summary of recommended action

In general it is recommended that certificates issued through the Jisc Certificate Service which are due to expire before end of February 2025 are renewed early to avoid any potential disruption.

Due to the increased risk of disruption to eduroam services using a Public PKI Root we recommend that those affected member organisations whose eduroam RADIUS server certificates will expire before September 2025, take urgent action before 9th January 2025 to renew and download their certificates (well before their expiry dates) before the option to renew closes and access to the Sectigo portal ceases. Certificate installation and transition to the new JCS certificate provider can then be scheduled into the routine workplan as described below.

Background, key points and implications

Due to an unresolved legal dispute between our supplier GÉANT and their provider Sectigo, the current certificate service will stop on 9 January 2025 and be inaccessible from 10 January 2025.

All organisations already utilising the Jisc Certificate Service (JCS) should have received a notification e-mail from certificates@jisc.ac.uk on Monday 9th December. The e-mail was sent to the registered contacts for the service.

The notification describes the imminent changes to the Jisc Certificate Service and the impact it will have on current users of certificates and the Sectigo portal. There is more information available at https://trustandidentity.jiscinvolve.org/wp/2024/12/09/faqs-relating-to-the-jisc-certificate-service-announcement-on-09-12-2024/

The key points are:

• You will not be able to acquire or renew Sectigo-supplied certificates from 9th Janaury
• The Sectigo portal will become unavailable as of 10th January
• Currently valid certificates should remain valid until their expiry dates and they will not be revoked
• Certificates renewed before 9th January will be valid for 12 months.

Replacement certificate provider; impact on your service; transition path to new CA:

A replacement service through DigiCert is being arranged, Jisc has formally issued a voluntary ex-ante transparency (VEAT) notice to appoint DigiCert as the new provider and is working towards a seamless transition from Sectigo. 

Therefore, as a means of providing a transition path for your eduroam users, eduroam(UK) is recommending immediate early renewal, with the current CA, of RADIUS server certificates that will expire prior to September 2025, as the likely period of least distruption, and for plans to be made for orderly transition to the new CA.

Recommended transition plan and actions

Consequences of the change of server cert CA: The change of Certification Authority for your future certificates on eduroam RADIUS servers means that user device Wi-Fi profiles and trusted certificate stores will also need to be updated. For managed devices this can be accomplished through GPO, Intune or other MDM systems and particularly for BYOD many organisations use CAT to provision device setup. For CAT, the GEANT eduroam wiki provides guidance on this at: https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators#AguidetoeduroamCATforIdPadministrators-ReplacingtheRADIUSserverrootCAcertificate

Review how to protect your eduroam Home service: In the light of the required change of Root CA, we recommend you take time to review the EAP Server Certificate Considerations and consider changing to a private Root CA for securing your eduroam Home service. 

Extending support for the current CA: to provide you with time to make the change to the new JCS Certificate provider, we are recommending that you should, as soon as possible (prior to 9th Jan), via the Sectigo portal renew and download your server certificates that will expire before September 2025. The renewed certificates will not need to be installed immediately, you can schedule the work to fit into your work programme when suits.

Timing of move to new JCS certificate provider: Having installed your renewed Sectigo-supplied server certificates, since the CA root will remain unchanged, the current eduroam Wi-Fi profiles for your users will remain valid – until either a) you replace the server cert with a cert from the new JCS provider b) the renewed server cert expires (12 months from renewal). 

However, when you replace your server certificate with a certificate from the new provider, your users' eduroam profiles will need to support the new CA and the CA root cert will need to be in the devices' trusted certificate stores.

Timing of the change of device setup provisioning: needs to be carefully planned. It is likely that you will want to do this to coincide with the influx of new students around Autumn 2025. New students can be given the updated profile and new CA root certificate. Continuing students, staff and researchers can be migrated to a dual CA interim profile and CA root well ahead of the switch – for CAT deployments this is as described in the eduroam wiki guide above and a similar approach can be adopted for other provisioning solutions. (You may wish to provide guidance via manual instructions but this approach is not recommended).

Support

Support is, as always, available from eduroam(UK) via e-mail to help@jisc.ac.uk or by using the support request form at the bottom of any page on Support Server.