Managing accredited CAs in eduroam servers
As at May 2020, this section may be outdated. The TACAR list of eduPKI eduroam certificates does not include the eduPKI CA certificate described below and does include a certificate that is not widely accepted. There are planned changes that may result in this process being entirely revised. However, in the mean time, use of TACAR will lead to FetchCRL3 errors and including the eduPKI CA certificate manually is required for a functioning eduroam RadSec implementation.
The number of accredited CAs and the list of certificates can change at any time. It is important that all eduroam servers consult an up-to-date list of accredited CAs. The list of currently accredited CAs is maintained in a TERENA repository of the TACAR service. A browsable list can be found here: https://www.tacar.org/cert/list/
eduroam operations will make available scripts for easy regular download and update of the accredited CAs. On UNIX-like systems, this script should be executed in a cron job on a regular basis (we suggest daily).
Please refrain from manually downloading CAs as a one-time action. Otherwise, your CA list will eventually become outdated and this will create service disruption for some eduroam users!
There is currently one accredited Certification Authority: the eduPKI CA, located at https://www.edupki.org/edupki-ca/ . eduPKI CA acts as a catch-all for all areas within the GEANT service area world-wide for eduroam participant countries which do not have their own accredited CA for the eduroam service. Such further CAs are welcome to apply for eduPKI PMA accreditation.
eduroam operators should request their eduPKI CA eduroam certificate by following the instructions on the eduPKI CA eduroam RA pages at: http://www.eduroam.org/index.php?p=europe&s=edupki
Updating CRLs on your server
Since certificate possibly need to be revoked in case of private key compromise or other reasons, it is important that all RADIUS servers which validate eduroam-accredited CAs consult an up-to-date CRL list for each of the CAs. eduroam suggests to use the script "FetchCRL3" which was developed in the Grid community for this very purpose (download here).
- place the .info files of all accredited CAs into one otherwise empty directory ( download edupki.info ) - let's assume for this example that the path to those files is
- find out the command which restarts your RADIUS server on your system - let's assume for this example that the command is
systemctl restart radiusd.service
- The following command will attempt to fetch an up-to-date CRL for the CA, and only if successful, will restart your server:
fetch-crl -l /path/to/certificates/ && systemctl restart radiusd.service
This script should be executed in a cron job on a regular basis (we suggest daily).