Wireless LAN/CA migration

From CT Wiki
Jump to navigation Jump to search


The certificates that Nikhef uses for Eduroam are expiring. The Certificate Authority "AddTrust External Root" is expiring on the 30th of May and our wireless.nikhef.nl eduroam certificate expires on the 29th.

This means Nikhef will have to get a new certificate for eduroam and cannot reuse the same Certificate Authority to get them.


Certificate Authorities are like notaries and essentially give out signed and notarized copies of an identity document, which is called a certificate. Devices connecting to eduroam (e.g. laptops and smartphones) trust several notaries to verify the identity for authentication servers. This trust is gained by auditing the notary and expires about 10 years after the initial audit. In this case, the trust for the Certificate Authority is expiring, so Nikhef needs to switch to another Certificate Authority.

Up until recently, most devices only supported one Certificate Authority for a WiFi profile and by default still only select one when just connecting by entering credentials. This essentially means that for most Nikhef eduroam clients only one Certificate Authority is trusted and that is the one that will expire. This is something that also has to be fixed in the new updated profiles.

Nikhef will have to move to a new certificate supplier and replace the certificate for eduroam.

What do I need to do?

Every device connecting to eduroam needs an updated eduroam profile before the 28th of May. This ensures there will be no downtime either before or after the certificate is replaced. The new profiles will work with the old and the new certificates.

You have to reconfigure your eduroam profile on all your devices. Before the 28th of May.

Note: If you're using an eduroam account from a different institute (@vu.nl, @uva.nl) you don't need to do anything. Only devices that use eduroam with a username@nikhef.nl should be updated.

How do I reconfigure my devices?


Use the Eduroam Configuration Assistant Tool. For detailed steps, see Wireless_LAN#Windows


  • If you're using network manager (default for most distributions), download File:Eduroam-nm.sh and run "sh Downloads/Eduroam-nm.sh" from a terminal. This will update the eduroam profile and make sure you're using the optimal settings for eduroam.
  • If you're using something else to configure the network, like wicd or wpa_supplicant, please use the settings described at Wireless_LAN#Linux.

Apple MacOS and IOS

  • Download File:Nikhef-eduroam-signed.mobileconfig and click/tap on the file to import the good eduroam profile. It will ask for your permission to update the Certificate Authorities and will correctly configure eduroam.


Download the latest app from the Google Play Store. Run the app, enter your nikhef username and password (without @nikhef.nl).

Questions & Answers

 Q: What happens if I do not perform the actions in time?
 A: Your device will not be able to connect to the eduroam (or NIKHEF) wifi network.
 Q: Can the CT postpone the deadline?
 A: No, certificates are provided by other organizations and cannot be changed, so the existing expiration date is fixed.
 Q: Can the CT change the setting on my phone remotely?
 A: No, the CT does not have access to devices like laptops and phones. The required actions must be performed by the user. If you need help, you can contact the CT Helpdesk.
 Q: I work for a university and use my university's account to connect to eduroam. Do I need to change my laptop/phone settings?
 A: No, only if you use a Nikhef account you need to perform the actions.
 Q: Help!
 A: Please contact the CT Helpdesk.