Versions Compared

Old Version 55

changes.mady.by.user Wenche Backman-Kamila

Saved on

compared with

New Version Current

changes.mady.by.user Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As of Q1 2025, all public CAs have committed to follow the CA/B Forum's recommendation to reduce server certificate lengths progressively to 47 days within the next few years.

This will, if you do not employ certificate renewal automation via a mechanism like SCEP or ACME/CertBot, increasingly cause administrative and technical issues for you. Consider looking at SCEP, ACME or CertBot, and you should also consider support for any of these methods for automated certificate renewal to be an important criterion when choosing a commercial CA. 

See the CA/B Forum's vote here: https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/

Communications from Sectigo: https://www.sectigo.com/resource-library/sectigo-cab-reduce-ssl-tls-certificates-lifespan-47-days

Communications from DigiCert: https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days

You should therefore read about eduroam Server Certificate Lifetime Cycles and what you should do about this!

Sectigo / "AAA Certificate Services" certificates issued by the GÉANT Certificate Service Service before January 2025

Sectigo, the commercial CA backing the GÉANT Certificate Service before January 2025, cross-signed a previously intermediate CA certificate as its own root certificate in 2020. This leads to a new, shorter, CA chain path stopping at the root variant of "USERTrust RSA Certificate Authority". The older CA chain path with a CA of that same name as an intermediate variant, and a root CA certificate named "AAA Certificate Services" continues to be offered by Sectigo only for compatibility with very old legacy systems which are unaware of the root variant of USERTrust. It is NOT RECOMMENDED to download and use the longer chain as Windows 10 has known issues building a trusted path when the USERTrust CA happens to be installed as a root variant already (which becomes increasingly common over time). Identity Providers using certificates from this CA should NOT include the intermediate CA variant of "USERTrust RSA Certificate Authority" in their onboarding tool and EAP server configurations.

...

HARICA is the CA backing the GÉANT Certificate Service since January 2025. The server certificate issued by the service comes with the GEANT intermediate certificate . It is recommended to also add as well as with the Cross Certificate from HARICA Root CA 2015 to 2021 as a second intermediate certificate to the RADIUS server after the GÉANT second intermediate certificate. This way, supplicants with knowledge of only the Root CA 2015 could still connect securelytrust can be build between the supplicant and the RADIUS server using either the HARICA TLS Root CA 2021 or the HARICA Root CA 2015 (or both). It is recommended to put only the HARICA TLS Root CA 2021 2015 to eduroam CAT for usage during onboarding, but you since you may experience problems with Windows clients forcing you to also add if you would utilise the HARICA TLS Root CA 2015 to eduroam CAT.CA 2021 (although it gives a shorter chain). Adding both roots will result in Passpoint not working on Android. 

In summary:

Consideration 2: Recommended certificate properties

...

For most deployments, it probably makes more sense to include the intermediate CA certificates during the RADIUS/EAP conversation.

Consideration 4: Server certificate lifetime and life cycle

See eduroam Server Certificate Lifetime Cycles for more information!