...
HARICA is the CA backing the GÉANT Certificate Service since January 2025. The server certificate issued by the service comes with the GEANT intermediate certificate . It is recommended to also add as well as with the Cross Certificate from HARICA Root CA 2015 to 2021 as a second intermediate certificate to . This way, trust can be build between the supplicant and the RADIUS server after the GÉANT intermediate certificate. This way, supplicants with knowledge of only the Root CA 2015 could still connect securelyusing either the HARICA TLS Root CA 2021 or the HARICA Root CA 2015 (or both). It is recommended to put only the HARICA TLS Root CA 2021 2015 to eduroam CAT for usage during onboarding, but you since you may experience problems with Windows clients forcing you to also add if you would utilise the HARICA Root CA 2015 to eduroam CAT.TLS Root CA 2021 (although it gives a shorter chain). Adding both roots will result in Passpoint not working on Android.
In summary:
- The RADIUS/EAP server should send the server certificate, the HARICA GEANT TLS intermediate certificate and the Cross Certificate from HARICA Root CA 2015 to 2021 as second intermediate certificate
- ECC certificates: GEANT.pem (GEANT.txt) Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.pem (Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.txt)
- RSA certificates: GEANT.pem (GEANT.txt) Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.pem (Cross-Certificate-from-HARICA-Root-CA-2015-to-2021.txt)
- When using eduroam CAT as the onboarding tool, upload the HARICA TLS
- Root CA 2021
- 2015 to CAT
- ECC: Root-CA.pem (Root-CA.txt)
- RSA: Root-CA.pem (Root-CA.txt)
- If you experience
- want a shorter chain and you're not experiencing problems with Windows clients when using the setup above
- , you need to add
- can upload only the HARICA TLS Root CA 2015
- 2021 to CAT
- CAT
- ECC: Root-CA-
2015 - 2015
- 2015
- 2015
Consideration 2: Recommended certificate properties
...