Eduroam certificate verification

Background

The eduroam wireless network uses WPA2-Enterprise with Protected Extensible Authentication Protocol (PEAP) for client authentication. PEAP requires a server-side public key certificate to create a secure TLS tunnel between the client and the authentication server. Inside this encrypted tunnel, user credentials are safely exchanged and verified. This process ensures that sensitive login information is protected from eavesdropping.

Client devices must trust the security certificate when prompted. Unlike SSL certificates used on the web, a wireless device will not automatically verify the validity of the certificate presented by the Wi-Fi authentication server. It is possible to preconfigure and install a profile containing the certificate, marking it as trusted, but that is outside the scope of this article.

The authentication server certificate is issued by the University's certificate authority (CA) provider, and must be renewed yearly.

Current certificate

Certificate Verification

To manually verify the certificate chain on MacOS or Linux, perform the following:

1. Save each of the following certificates to your local machine, with the listed names and extensions

   1. eduroam.uwaterloo.ca.pem

      1. -----BEGIN CERTIFICATE----- MIIJDTCCB/WgAwIBAgIMWLO+wKnHz6Eo3NHjMA0GCSqGSIb3DQEBCwUAMFAxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yNjAyMjMxOTQ2MTFaFw0y NzAzMjcxOTQ2MTBaMHIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMREw DwYDVQQHEwhXYXRlcmxvbzEfMB0GA1UEChMWVW5pdmVyc2l0eSBvZiBXYXRlcmxv bzEdMBsGA1UEAxMUZWR1cm9hbS51d2F0ZXJsb28uY2EwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCyusu6UlGJfcbkD0cpFSHmOl9GZ+FdGidSG9PLnGav /+fBhWd2bTqO6vKEMTy1wVt/ktgVEWmrw2AhWDCGijcYt544y+TQ2tLhsoD2a+cC GLZkRlEKvWwMAWP9IPg8U/GbPSpUGY2ujDL4TvsqGSIDBevv2WzJrSZ4zNSg1hbu TzDb22uaRjwCYGeOdpIKXQKFDZrSay19tJGYUU1QvrwjMAwvgzRSNCSMwwK4lAyc jhfB6QErgTdr47hujJ5G3a9je6dJc67O3EXo6xR+D551y03/GH/vI/kEYnPDRBQv ljuyQq8V+Kdg35aXQNxFo54V1sg8aZzjWNaV0Ii/pMc8f+EX8ZjH1ABNmz/abFH7 5zpptMcMm89mFxdAVii2WFJ3ZU7PqF0sfK3IBMaS1dLBlSHaR23Y6kjIjeiXhiwi OnAe4+AWYRxGnfq37E+VNoSE56WSQbtSLYZIPf/wSJy271w79FmIoOnx//+FvjkM UvjzHXctfEaMutu0Wm8kAsP5OP1z8nB74BGlGCt0w1pUf4RZX7RsqnpJExFk1BhO +c/7MakcwBCRzIp0Rs4US03/ji1f7OzxT2KCh2wa8zmWqD2usOqILLfy6WvI/Fry dLMZrxcrUbXb3NmkTgDKhZgbBy2BJL5rirezSgQdBNdWN87138m8cF1qUio69Bb6 YwIDAQABo4IEwzCCBL8wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwgY4G CCsGAQUFBwEBBIGBMH8wRAYIKwYBBQUHMAKGOGh0dHA6Ly9zZWN1cmUuZ2xvYmFs c2lnbi5jb20vY2FjZXJ0L2dzcnNhb3Zzc2xjYTIwMTguY3J0MDcGCCsGAQUFBzAB hitodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3NsY2EyMDE4MFYG A1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3 Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjA/BgNVHR8EODA2 MDSgMqAwhi5odHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzcnNhb3Zzc2xjYTIw MTguY3JsMIIBkwYDVR0RBIIBijCCAYaCFGVkdXJvYW0udXdhdGVybG9vLmNhghNj bi1hYWEudXdhdGVybG9vLmNhghNucy1hYWEudXdhdGVybG9vLmNhghNhdXRoLXgu dXdhdGVybG9vLmNhghdndWVzdC53aWZpLnV3YXRlcmxvby5jYYIhbnMtaXNlLXBz bi1hLnByaXZhdGUudXdhdGVybG9vLmNhgiFucy1pc2UtcHNuLWIucHJpdmF0ZS51 d2F0ZXJsb28uY2GCIW5zLWlzZS1wc24tYy5wcml2YXRlLnV3YXRlcmxvby5jYYIh bnMtaXNlLXBzbi1kLnByaXZhdGUudXdhdGVybG9vLmNhgiFucy1pc2UtcHNuLWUu cHJpdmF0ZS51d2F0ZXJsb28uY2GCIW5zLWlzZS1wc24tZi5wcml2YXRlLnV3YXRl cmxvby5jYYIhbnMtaXNlLXBzbi1nLnByaXZhdGUudXdhdGVybG9vLmNhgiFucy1p c2UtcHNuLWgucHJpdmF0ZS51d2F0ZXJsb28uY2EwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0G A1UdDgQWBBQcHJSlHB7sX885QV80PIKq4vxsNjCCAX0GCisGAQQB1nkCBAIEggFt BIIBaQFnAHYAHJ9oLOn68EVpUPgbloqH3dsyENhM5siy44JSSsTPWZ8AAAGcjAoG QQAABAMARzBFAiEAtp70hf4dmN3HpMOh3eafw4+Qq/u6RbO35SK1Ta9Nfq8CIFFb FsRP3Ng+YfR72ZVScPeCGYNxIeeiBLE6NOcmYUycAHUATGPcmOWcHauI9h6KPd6u j6tEozd7X5uUw/uhnPzBviYAAAGcjAoDQAAABAMARjBEAiBfbnsSFUcGxgpj38ue OI9tx7wVlD4HDsM/25R3v+decwIgMN1Imp680dnL50i1klzpZJhwneSjhEEmoJbL 8pqYqPsAdgBgTJqven93XwHUBvySDciZ6wscffjJUhv6+hd3O5eLyQAAAZyMCgbV AAAEAwBHMEUCIEvDC5tDbv2b1FzE0DohqH6r7pqinTY+JYyfnvgxQ4YaAiEAzRxp pXePJSmcHvdeB2fNBEmmf9kFHe65quY5BCiclUcwDQYJKoZIhvcNAQELBQADggEB AI3lJWsiBCecogZXyT7tLm2dlTBKG6AbrMW+F8FXWOEmYEfe30a3q00mH0jjJm6r CS5BmBD8GSvUHDHhOeG7YmU+NkOW6cFQsfOlus4wrZbGKfz0ayv/uPKYoz+fsbgi T2z9z7RB4cCI/xVTqwXoq9Pm3/cH0I7jMVpTd+LO+kOHJ+FMxn+Zz9Ypz0GTwbSF zEuRFNhju1kox+Pl0fjo6i+j7ajrAfGkJA0/un+q+Fg7wVbTlmxfzagMMDaksu2U aJVTE8nqVaZW9ZCsuX78t/mQWwlktXkW6qmlFQlp9XUnmHmf7cX1ONf5T50DxzUj +9jqAc5bzrB77ntxfHSk5EU= -----END CERTIFICATE-----

          

   2. GlobalSignIntermediate.pem

      1. -----BEGIN CERTIFICATE----- MIIETjCCAzagAwIBAgINAe5fIh38YjvUMzqFVzANBgkqhkiG9w0BAQsFADBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFs U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODExMjEwMDAwMDBaFw0yODEx MjEwMDAwMDBaMFAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52 LXNhMSYwJAYDVQQDEx1HbG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdaydUMGCEAI9WXD+uu3Vxoa2uP UGATeoHLl+6OimGUSyZ59gSnKvuk2la77qCk8HuKf1UfR5NhDW5xUTolJAgvjOH3 idaSz6+zpz8w7bXfIa7+9UQX/dhj2S/TgVprX9NHsKzyqzskeU8fxy7quRU6fBhM abO1IFkJXinDY+YuRluqlJBJDrnw9UqhCS98NE3QvADFBlV5Bs6i0BDxSEPouVq1 lVW9MdIbPYa+oewNEtssmSStR8JvA+Z6cLVwzM0nLKWMjsIYPJLJLnNvBhBWk0Cq o8VS++XFBdZpaFwGue5RieGKDkFNm5KQConpFmvv73W+eka440eKHRwup08CAwEA AaOCASkwggElMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBT473/yzXhnqN5vjySNiPGHAwKz6zAfBgNVHSMEGDAWgBSP8Et/qC5F JK5NUPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6 Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4Yl aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+ MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmQyC1fQorUC2bbmANz EdSIhlIoU4r7rd/9c446ZwTbw1MUcBQJfMPg+NccmBqixD7b6QDjynCy8SIwIVbb 0615XoFYC20UgDX1b10d65pHBf9ZjQCxQNqQmJYaumxtf4z1s4DfjGRzNpZ5eWl0 6r/4ngGPoJVpjemEuunl1Ig423g7mNA2eymw0lIYkN5SQwCuaifIFJ6GlazhgDEw fpolu4usBCOmmQDo8dIm7A9+O4orkjgTHY+GzYZSR+Y0fFukAj6KYXwidlNalFMz hriSqHKvoflShx8xpfywgVcvzfTO3PYkz6fiNJBonf6q8amaEsybwMbDqKWwIX7e SPY= -----END CERTIFICATE-----

          

   3. GlobalSignRootR3.pem

      1. -----BEGIN CERTIFICATE----- MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH WD9f -----END CERTIFICATE-----

          

2. Open a terminal and navigate to the directory where the certificate files were saved

3. Use openssl to verify the certificate chain:

   1. openssl verify -CAfile GlobalSignRootR3.pem -untrusted GlobalSignIntermediate.pem eduroam.uwaterloo.ca.pem

      1. A successful validation will output “eduroam.uwaterloo.ca.pem: OK” - any other result means the validation was unsuccessful.

You have just verified that the eduroam certificate file was signed by the intermediate and root certificates downloaded from this page. To continue with the validation, you can match the serial numbers of the intermediate and root certificates with known values from the CA.

1. Use openssl to extract the serial number from the certificate file

   1. GlobalSignIntermediate.pem

      1. openssl x509 -noout -serial -in GlobalSignIntermediate.pem | sed 's/.*=//g;s/../&:/g;s/:$//'

   2. GlobalSignRootR3.pem

      1. openssl x509 -noout -serial -in GlobalSignRootR3.pem | sed 's/.*=//g;s/../&:/g;s/:$//'

          

2. With the serial numbers recorded, visit the CA’s website and compare the listed values with the output from the terminal commands.

   1. https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates

   2. https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates

Putting it all together

When you connect to the eduroam Wi-Fi network for the first time, or for the fist time after the yearly certificate renewal, your device will prompt you to accept the security certificate. It is good practice to examine the certificate and be confident that it comes from a trusted source.

You can view the serial number of the eduroam certificate on your device, and use this page to match up the serial numbers. This confirms that the certificate you are being asked to trust is the same certificate that IST has deployed.

Then, you can verify that the eduroam certificate has been cryptographically signed by the University’s CA provider using the GlobalSign certificates listed on this page.

Finally, you can verify using the GlobalSign website that the certificates listed here match the official certificates online.

Related articles