Versions Compared

Old Version 1

changes.mady.by.user Stefan Paetow

Saved on

compared with

New Version 2

changes.mady.by.user Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Given the current trend by the the CA/Browser Forum drive to progressively shorten certificate lifetimes in the near futurefor security reasons, the question of how to handle certificate renewal and automation becomes ever more urgent. As of Q1 2025, all public CAs have committed to follow the CA/B Forum's recommendation to reduce server certificate lengths progressively to 47 days within the next few years.

This generally affects web services, but for eduroam this is just as relevant, since certificates are an integral part of many EAP methods usable within eduroam. Currently the automation affects certificates that are signed by by public certificate authorities (which fall under the CA/B Forum remit), but not certificates from enterprise certificate authorities (i.e. private certificate authorities). This may however change given how operating systems handle certificates and often (falsely) assume that certificate use is limited to the web. 

This will, if you do not employ certificate renewal automation via a mechanism like SCEP or ACME/CertBot, increasingly cause administrative and technical issues for you. Consider looking at SCEP, ACME or CertBot, and you should also consider support for any of these methods for automated certificate renewal to be an important criterion when choosing a commercial CA. 

What does this mean for eduroam?

Those who simply allow their users to tap on the eduroam network to connect without using a tool like the eduroam CAT website or the geteduroam app will need to be aware that their users will be prompted to accept a new certificate when your certificate rolls over. This may not be entirely user friendly. Using a properly configured CAT profile (or profile from an equivalent tool) that correctly configures server certificate validation (which is what CAT profiles do) can make that a non-issue since the certificate's certificate authority root certificate is used to verify the server certificate's validity, along with the common name of the certificate.

...

This topic is still under construction. 


More information

See the CA/B Forum's vote here: https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/

Communications from Sectigo: https://www.sectigo.com/resource-library/sectigo-cab-reduce-ssl-tls-certificates-lifespan-47-days

Communications from DigiCert: https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days

Universiteit Twente (Netherlands) has some advice here:   Automate your certificate management with ACME and SURF certificates

...