...
As of Q1 2025, all public CAs have committed to follow the CA/B Forum's recommendation to reduce server certificate lengths progressively to 47 days within the next few years.
This will, if you do not employ certificate renewal automation via a mechanism like SCEP or ACME/CertBot, increasingly cause administrative and technical issues for you. Consider looking at SCEP, ACME or CertBot, and you should also consider support for any of these methods for automated certificate renewal to be an important criterion when choosing a commercial CA.
See the CA/B Forum's vote here: https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/
Communications from Sectigo: https://www.sectigo.com/resource-library/sectigo-cab-reduce-ssl-tls-certificates-lifespan-47-days
Communications from DigiCert: https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-daysYou should therefore read about eduroam Server Certificate Lifetime Cycles and what you should do about this!
Sectigo / "AAA Certificate Services" certificates issued by the GÉANT Certificate Service Service before January 2025
Sectigo, the commercial CA backing the GÉANT Certificate Service before January 2025, cross-signed a previously intermediate CA certificate as its own root certificate in 2020. This leads to a new, shorter, CA chain path stopping at the root variant of "USERTrust RSA Certificate Authority". The older CA chain path with a CA of that same name as an intermediate variant, and a root CA certificate named "AAA Certificate Services" continues to be offered by Sectigo only for compatibility with very old legacy systems which are unaware of the root variant of USERTrust. It is NOT RECOMMENDED to download and use the longer chain as Windows 10 has known issues building a trusted path when the USERTrust CA happens to be installed as a root variant already (which becomes increasingly common over time). Identity Providers using certificates from this CA should NOT include the intermediate CA variant of "USERTrust RSA Certificate Authority" in their onboarding tool and EAP server configurations.
...
HARICA certificates issued by the GÉANT Certificate Service
Testing-one-two HARICA is the CA backing the GÉANT Certificate Service Service since January 2025. The server certificate issued by the service comes with the GEANT intermediate certificate as well as with the Cross Certificate from HARICA Root CA 2015 to 2021 as a second intermediate certificate. This way, trust can be build between the supplicant and the RADIUS server using either the HARICA TLS Root CA 2021 or the HARICA Root CA 2015 (or both). It is recommended to put only the HARICA Root CA 2015 to eduroam CAT for usage during onboarding, since you may experience problems with Windows clients if you would utilise the HARICA TLS Root CA 2021 (although it gives a shorter chain). Adding both roots will result in Passpoint not working on Android.
...
For most deployments, it probably makes more sense to include the intermediate CA certificates during the RADIUS/EAP conversation.
Consideration 4: Server certificate lifetime and life cycle
See eduroam Server Certificate Lifetime Cycles for more information!