eduPKI eduroam RA
The eduPKI eduroam RA is responsible for issuing eduroam server certificates to eduroam operators, for use with RADIUS/TLS deployments.
There are two types of server certificates:
- eduroam SP profile: for eduroam Service Providers (operators of an eduroam hotspot, or proxy relays for one or more eduroam hotspots)
- eduroam IdP profile: for eduroam Identity Providers (operators of an eduroam realm, or proxy relays for one or more eduroam Identity Providers)
Note: one certificate can carry both profiles at the same time. This is actually the default case since IdPs often also operate a hotspot of their own.
In order to request and be issued a eduroam server certificate, three steps are necessary for an eduroam administrator. They are explained below:
- Authorisation: make sure that your email address is listed as an eduroam operator. eduPKI eduroam RA will only issue certificates with a contact email address that’s listed in the eduroam operator database.
The profiles you request for your certificate must also match your entry in the database.
- if you are listed as an eduroam IdP only, your certificate will be allowed to carry only the eduroam IdP profile.
- if you are listed as an eduroam SP only, your certificate will be allowed to carry only the eduroam SP profile.
- if you are listed as both, or if you are a proxy or federation operator, the certificate will be allowed to carry both profiles.
- Authentication: we need to perform identity vetting on your certificate request. eduPKI eduroam RA currently supports two ways of identity vetting, you can choose either of the two:
- TCS Personal Certificates: if you are in possession of a TCS Personal Certificate, you can use this in step 3 to send a signed email with the certificate request form.
- PGP/GPG signature: if you have a PGP/GPG key, please make sure that the key is signed by your federation operator, and is available on commodity keyservers. You can then use this in step 3 to send a signed email with the certificate request form.
- Certificate request: Please navigate to the eduPKI CA interface and open the “eduroam Certificate Request Generator (eduPKI CA)” and fill out the form. Note that:
- Contact Data: these fields must match the contents of the eduroam Database (see step 1 above)
- Certificate profile: your selection must be consistent with your entry in the eduroam Database (see step 1 above)
- Organisation: eduPKI CA only issues certificates to legal entities. If your eduroam installation is only a department of a legal entity, remember to fill in your parent entity’s name.
After submitting the form, you will receive a private key to save locally, and a PDF form. Please send this PDF form via a signed email (as per the requirements in step 2) to firstname.lastname@example.org. The email signature must be for the email address that is in the certificate request.
The eduPKI eduroam RA personnel will verify that the request is in order and will issue your certificate as quickly as possible. The verification procedure includes human processing and is not instant, please allow for a few business days.