Switching to a new certification authority for eduroam RADIUS server certificates

Released: 5/12/2025

The initial audience for this advisory is the organisations whose Jisc Certificate Service issued Sectigo-GÉANT certificates were renewed in Dec 2024 and Jan 2025 are due to expire in Dec 2025 and January 2026. It can also be read as a general guide when migrating from one certification authority for your RADIUS server certificates to another.

Contents

• Background
• Certification authority options
• Continuity of service during change of Certification Auth for eduroam server certificates
• Communications with your user base and support available to you

Background

On January 10th 2025, the Sectigo certification authority (CA) ended its sector agreement with GÉANT and by extension, Jisc. After that date, no further renewals of certificates or issuing of new ones was possible. Whilst many Jisc members purchased Sectigo-GÉANT certificates through the Jisc Certificate Service (JCS) for use as web certificates, a significant number also used them for their eduroam RADIUS servers. These certificates are now nearing their expiry dates, so urgent action is needed to ensure a smooth transition to the necessary replacement certificates essential for the continuity of eduroam services.

With DigiCert confirmed as the new certification authority partner for the JCS, the options available to eduroam(UK) member organisations are now much clearer. eduroam(UK) would like to inform members still using Sectigo-GÉANT certificates issued in late 2024/early 2025 about the available replacement options and to urge immediate action. It is essential that a decision is made regarding choice of certificate authority and regardless of the choice, immediate action needs to be taken.

Certification authority options

1. Take advantage of the JCS-DigiCert framework for Jisc member organisations to purchase. DigiCert certificates at advantageous rates via the DigiCert CertCentral portal.

2. Stay with Sectigo and purchase certificates through the Sectigo portal.

3. Switch to an alternative public CA (e.g. SSL.com, GoDaddy, ZeroSSL, Let’s Encrypt)

4. Operate your own private CA and generate your own certificates.

The pros and cons of using a commercial CA versus operating your own CA are well documented elsewhere and the choice as to which certification solution to opt for is entirely for the member organisation to make.

Continuity of service during change of Certification Auth for eduroam server certificates

Having decided on the desired certificate solution there are some common steps that need to be taken when migrating between certification authorities, as set out below.

Recommended actions to be taken:

1. Update your eduroam CAT profile(s) for your users by adding the root (and intermediate) certificate of your chosen certificate authority, leaving the existing <USERTrust / Comodo> root certificates in place in the EAP profile. (This allows users to continue to authenticate against your current server cert whilst readying their devices for the new cert you will be installing when the old one expires). This needs to be as soon as possible - being mindful of any policy issue such as a change freeze (e.g. over Christmas).

2. Notify your users well in advance of the intended switch-over date (either the day of expiry of the current server certificate you are using, or the day you will be installing your newly purchased/minted certificate) that for continued eduroam access they will have to update the configuration of their BYOD devices. Encourage users to update their eduroam profile using the geteduroam App *before* that switch date. (This will ensure successful authentication over the transition since it will be possible for both old and new certificates to be validated).

3. Nearer your intended switch date, if you haven’t purchased/minted your new certificate, do so, ensuring that the Common Name (CN) of your certificate matches the one on your existing certificate. You must also ensure that the certificate includes the SubjectAltName:DNS extension (SAN) with a value matching the CN name.

4. After acquiring your replacement certificate it is recommended that you install the certificate (comprising server cert and intermediates – but not the CA root) onto a test server and check that the certificate can be validated against your CAT profile as modified in Step 1. If you support managed devices through a MDM solution you should modify your configuration to support the replacement certificate CA. Near to change-over day you may  wish to remind your users that those who have not reconfigured their devices yet must do so before the intended switch date.

5. Switch the eduroam RADIUS server certificate(s) to your new certificate chain on your switch date. Your users should experience one of the following:

• Those users who *did* follow instructions correctly should *not* see any changes whatsoever; they should simply continue to connect without interruption.
• Those users who manually connected (i.e. tapped on the network and connected that way, which is *not* recommended) will probably be notified that the server certificate has changed and that they must approve trusting the new certificate.
• Those users with CAT/geteduroam installed profiles who did not follow instructions will likely fail to connect to eduroam.

6. After the switch date, update your eduroam CAT profile(s) for your users by removing the now obsolete root certificates, reducing the size of the profile.

Communications with your user base and support available to you

Communications with users: given that the ending of the Sectigo based service at the start of January took place at an inconvenient time shortly after the festive period and that renewed certificates will be expiring at a similar time of the year, early decision-making and clear communication about the change will be key to a successful switch between certificate authorities.

The eduroam(UK) team is available to assist with any changes needed and can be reached by logging a helpdesk ticket via help@jisc.ac.uk or the eduroam webform at https://www.jisc.ac.uk/forms/eduroam-support-request