Background
The eduroam wireless network uses WPA2-Enterprise with Protected Extensible Authentication Protocol (PEAP) for client authentication. PEAP requires a server-side public key certificate to create a secure TLS tunnel between the client and the authentication server. Inside this encrypted tunnel, user credentials are safely exchanged and verified. This process ensures that sensitive login information is protected from eavesdropping.
...
The authentication server certificate is issued by the University's certificate authority (CA) provider, and must be renewed yearly.
Current certificate
Name | Expiry | Serial Number |
|---|---|---|
eduroam.uwaterloo.ca | 15 Mar 2025 12:51:00 EDT | 3C:6B:CF:AD:9B:AE:C2:43:54:45:CC:10 |
Certificate Verification
To manually verify the certificate chain on MacOS or Linux, perform the following:
...
Use openssl to extract the serial number from the certificate file
GlobalSignIntermediate.pem
Code Block openssl x509 -noout -serial -in GlobalSignIntermediate.pem | sed 's/.*=//g;s/../&:/g;s/:$//'
GlobalSignRootR3.pem
Code Block openssl x509 -noout -serial -in GlobalSignRootR3.pem | sed 's/.*=//g;s/../&:/g;s/:$//'
With the serial numbers recorded, visit the CA’s website and compare the listed values with the output from the terminal commands.
Putting it all together
When you connect to the eduroam Wi-Fi network for the first time, or for the fist time after the yearly certificate renewal, your device will prompt you to accept the security certificate. It is good practice to examine the certificate and be confident that it comes from a trusted source.
...