Eduroam certificate verification

Background

The eduroam wireless network uses WPA2-Enterprise with Protected Extensible Authentication Protocol (PEAP) for client authentication. PEAP requires a server-side public key certificate to create a secure TLS tunnel between the client and the authentication server. Inside this encrypted tunnel, user credentials are safely exchanged and verified. This process ensures that sensitive login information is protected from eavesdropping.

Client devices must trust the security certificate when prompted. Unlike SSL certificates used on the web, a wireless device will not automatically verify the validity of the certificate presented by the Wi-Fi authentication server. It is possible to preconfigure and install a profile containing the certificate, marking it as trusted, but that is outside the scope of this article.

The authentication server certificate is issued by the University's certificate authority (CA) provider, and must be renewed yearly.

Current certificate

Certificate Verification

To manually verify the certificate chain on MacOS or Linux, perform the following:

1. Save each of the following certificates to your local machine, with the listed names and extensions

   1. eduroam.uwaterloo.ca.pem

      1. -----BEGIN CERTIFICATE----- MIIIDDCCBvSgAwIBAgIMPGvPrZuuwkNURcwQMA0GCSqGSIb3DQEBCwUAMFAxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yNDAyMTIxNjUxMDFaFw0y NTAzMTUxNjUxMDBaMHIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMREw DwYDVQQHEwhXYXRlcmxvbzEfMB0GA1UEChMWVW5pdmVyc2l0eSBvZiBXYXRlcmxv bzEdMBsGA1UEAxMUZWR1cm9hbS51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCorSw6H/scgepXv2b+33T1o6m1Yo2+DSojnJs6w/D7 KqnutMC1rB9MV54J8SO9lwiYJ4O34zd0PEAm/m8KbgQrGSqOIHZ9fFESx32FCU8/ oy1rz+5JxeW7+SNsQrMOO5T+vFykZE9eLq66ELiO+Y9NZ3j3lRa3SHNZvMl2TNOQ GhN1OCHL+OzoMzjUJ3XI88EYlf6++GZ2PsGMPcoDkAdyq0Go0vwNfcUMxK2dsUTa gfRlA7MzYBQO+U12OpbN/Qs6ac8yg0CEpfZWEuRqKxJOHTKJ7Mw3JbqVD1qx2bxl I2LdK4qX7kQO6i7vgkFhg5Es0kX4XIG9N6c6nAz0Rc5TAgMBAAGjggTCMIIEvjAO BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADCBjgYIKwYBBQUHAQEEgYEwfzBE BggrBgEFBQcwAoY4aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQv Z3Nyc2FvdnNzbGNhMjAxOC5jcnQwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLmds b2JhbHNpZ24uY29tL2dzcnNhb3Zzc2xjYTIwMTgwVgYDVR0gBE8wTTBBBgkrBgEE AaAyARQwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20v cmVwb3NpdG9yeS8wCAYGZ4EMAQICMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9j cmwuZ2xvYmFsc2lnbi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwggGTBgNVHREE ggGKMIIBhoIUZWR1cm9hbS51d2F0ZXJsb28uY2GCE2NuLWFhYS51d2F0ZXJsb28u Y2GCE25zLWFhYS51d2F0ZXJsb28uY2GCE2F1dGgteC51d2F0ZXJsb28uY2GCF2d1 ZXN0LndpZmkudXdhdGVybG9vLmNhgiFucy1pc2UtcHNuLWEucHJpdmF0ZS51d2F0 ZXJsb28uY2GCIW5zLWlzZS1wc24tYi5wcml2YXRlLnV3YXRlcmxvby5jYYIhbnMt aXNlLXBzbi1jLnByaXZhdGUudXdhdGVybG9vLmNhgiFucy1pc2UtcHNuLWQucHJp dmF0ZS51d2F0ZXJsb28uY2GCIW5zLWlzZS1wc24tZS5wcml2YXRlLnV3YXRlcmxv by5jYYIhbnMtaXNlLXBzbi1mLnByaXZhdGUudXdhdGVybG9vLmNhgiFucy1pc2Ut cHNuLWcucHJpdmF0ZS51d2F0ZXJsb28uY2GCIW5zLWlzZS1wc24taC5wcml2YXRl LnV3YXRlcmxvby5jYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYD VR0jBBgwFoAU+O9/8s14Z6jeb48kjYjxhwMCs+swHQYDVR0OBBYEFI4JGOhlw9hb rEq/VgxQPIvd339nMIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYAdQCi4wrkRe+9 rZt+OO1HZ3dT14JbhJTXK14bLMS5UKRH5wAAAY2eOsZ+AAAEAwBGMEQCIC+lSNKs G60lBxNU/qkCnd2/8j0IPNAyyJu1noWWL7JDAiAf9TZqDbojz2m263rtmPHLl/gT Y6ZI7ZPK+djLF7jhigB1AObSMWNAd4zBEEEG13G5zsHSQPaWhIb7uocyHf0eN45Q AAABjZ46xgMAAAQDAEYwRAIgXO/A6B94GVVRbqhf4WcRAqqLSL3HgwZdu4AQHdTK uKsCIEV4tYYqJMiaY7es/bv7UyT3jRxe5m9rSlBAZuyloeCIAHYATnWjJ1yaEMM4 W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGNnjrGuAAABAMARzBFAiEAnZLH1Osn gq24oFLRMmtAh9mR8WnoYlfp08lMXkCBP8UCIEzCjqHT0iD5aW9gmQErJ3E7NDqe 2cAN5vB7naEW7LwxMA0GCSqGSIb3DQEBCwUAA4IBAQCNfJLBlJYWQJf1xDK7TMrU 5j38rcWAC1fuAl/mf5YL7yi71bS6JVyP+hOGsSy4XptS9c0KJKTTD1uvpnCxmBNw /XGPlypxijdvRxG0jdJwPXuhFYyg8WZIOamu5zlZzROkryVUYEIgnVBiTSr+ca+d +k0k5Y/wir+PrW6ioySThAvBNbq9n1orn85H8rrlwINtz3a5tX14uMd0WxLCSrsN E9ILFsJZkl+W0ZJW01M+5aK+TPlAmLvCNSZZzXVgLlG6VFWDC9f+5c9znxBJ4oB2 9cuNDYstcrmKsB45RZ1ytzgpuyrGWT6wfSUeDNYPPqJbxJKn7h3LFkejoGJEtlH0 -----END CERTIFICATE-----

          

   2. GlobalSignIntermediate.pem

      1. -----BEGIN CERTIFICATE----- MIIETjCCAzagAwIBAgINAe5fIh38YjvUMzqFVzANBgkqhkiG9w0BAQsFADBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFs U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODExMjEwMDAwMDBaFw0yODEx MjEwMDAwMDBaMFAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52 LXNhMSYwJAYDVQQDEx1HbG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdaydUMGCEAI9WXD+uu3Vxoa2uP UGATeoHLl+6OimGUSyZ59gSnKvuk2la77qCk8HuKf1UfR5NhDW5xUTolJAgvjOH3 idaSz6+zpz8w7bXfIa7+9UQX/dhj2S/TgVprX9NHsKzyqzskeU8fxy7quRU6fBhM abO1IFkJXinDY+YuRluqlJBJDrnw9UqhCS98NE3QvADFBlV5Bs6i0BDxSEPouVq1 lVW9MdIbPYa+oewNEtssmSStR8JvA+Z6cLVwzM0nLKWMjsIYPJLJLnNvBhBWk0Cq o8VS++XFBdZpaFwGue5RieGKDkFNm5KQConpFmvv73W+eka440eKHRwup08CAwEA AaOCASkwggElMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBT473/yzXhnqN5vjySNiPGHAwKz6zAfBgNVHSMEGDAWgBSP8Et/qC5F JK5NUPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6 Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4Yl aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+ MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmQyC1fQorUC2bbmANz EdSIhlIoU4r7rd/9c446ZwTbw1MUcBQJfMPg+NccmBqixD7b6QDjynCy8SIwIVbb 0615XoFYC20UgDX1b10d65pHBf9ZjQCxQNqQmJYaumxtf4z1s4DfjGRzNpZ5eWl0 6r/4ngGPoJVpjemEuunl1Ig423g7mNA2eymw0lIYkN5SQwCuaifIFJ6GlazhgDEw fpolu4usBCOmmQDo8dIm7A9+O4orkjgTHY+GzYZSR+Y0fFukAj6KYXwidlNalFMz hriSqHKvoflShx8xpfywgVcvzfTO3PYkz6fiNJBonf6q8amaEsybwMbDqKWwIX7e SPY= -----END CERTIFICATE-----

          

   3. GlobalSignRootR3.pem

      1. -----BEGIN CERTIFICATE----- MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH WD9f -----END CERTIFICATE-----

          

2. Open a terminal and navigate to the directory where the certificate files were saved

3. Use openssl to verify the certificate chain:

   1. 1. A successful validation will output “eduroam.uwaterloo.ca.pem: OK” - any other result means the validation was unsuccessful.

You have just verified that the eduroam certificate file was signed by the intermediate and root certificates downloaded from this page. To continue with the validation, you can match the serial numbers of the intermediate and root certificates with known values from the CA.

1. Use openssl to extract the serial number from the certificate file

   1. GlobalSignIntermediate.pem

   2. GlobalSignRootR3.pem

      1.  

2. With the serial numbers recorded, visit the CA’s website and compare the listed values with the output from the terminal commands.

   1. https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates

   2. https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates

Putting it all together

When you connect to the eduroam Wi-Fi network for the first time, or for the fist time after the yearly certificate renewal, your device will prompt you to accept the security certificate. It is good practice to examine the certificate and be confident that it comes from a trusted source.

You can view the serial number of the eduroam certificate on your device, and use this page to match up the serial numbers. This confirms that the certificate you are being asked to trust is the same certificate that IST has deployed.

Then, you can verify that the eduroam certificate has been cryptographically signed by the University’s CA provider using the GlobalSign certificates listed on this page.

Finally, you can verify using the GlobalSign website that the certificates listed here match the official certificates online.