Almost all EAP types in eduroam (with the exception of EAP-PWD) require a X.509 server certificate with which the RADIUS server identifies itself to the end user before the user sends his credentials to the server.
Consideration 1: Procuring vs. creating your own server certificate
Consideration 2: Recommended certificate properties
Various end-user device operating system oppose different requirements on the contents of the server certificate that is being presented. When creating or procuring a server certificate, you should check with the CA that its certificates satisfy as many of these requirements as possible to ensure broad compatibility with your users' devices.
| Property | Content | Remarks |
|---|---|---|
| signature algorithm | SHA-1 or higher | Server certificates signed with the signature algorithm MD5 are considered invalid by many modern operating systems, e.g. Apple iOS. Having a server certificate (or an intermediate CA certificate) with MD5 signature will create problems on these operating systems. Apparently, no operating system as of yet has an issue with the root CA being self-signed with MD5. This may change at any point in the future though, so when creating a new CA infrastructure, be sure not to use MD5 as signature algorithm anywhere. |
| length of public key | 1024 Bit or higher | Server certificates with a length of the public key below 1024 bit are considered invalid by some recent operating systems, e.g. Windows 7 and above. Having a server certificate (or an intermediate CA certificate) with MD5 signature will create problems on these operating systems. |
| Extension: Extended Key Usage | TLS Web Server Authentication | Even though the certificate is used for EAP purposes, some popular operating systems (i.e. Windows XP and above) require the certificate extension "TLS Web Server Authentication" (OID: 1.3.6.1.5.5.7.3.1) to be present. Having a server certificate without this extension will create problems on these operating systems. |
| Extension: CRL Distribution Point | URI pointing to a valid HTTP/HTTPS URL | |