Table of Contents
Important change in the use of eduroam
In the context of the expiration of the root certificate “Deutsche Telekom Root CA 2“ on July 10, 2019, which has been announced for some time, the certificate used to encrypt the login process in WLAN eduroam will expire on July 1, 2019. For all concerned users, there is an urgent need for action to be able to use the popular and wide-spread eduroam access even after this date.
Why does the Wi-Fi configuration for eduroam have to be changed?
As you may have already learned, the current root certificate “Deutsche Telekom Root CA 2” (Generation 1), which is also used for the W-Fi eduroam at the GWDG and the University of Göttingen, expires on July 10, 2019 and loses its validity. It will be replaced by the new root certificate “T-TeleSec Global Root Class 2” (Generation 2). For devices on which Wi-Fi eduroam is installed and which use an intermediate certification chain of the still valid old generation 1 and not already of the new generation 2, the validity period will be shortened to June 30, 2019, deviating from the root certificate “Deutsche Telekom Root CA 2”.
Therefore, the GWDG's eduroam authentication servers will only accept the new root certificate “T-TeleSec Global Root Class 2” after June 30, 2019. For all devices with eduroam access that have not yet installed the new root certificate, this means that Wi-Fi eduroam must be set up again if eduroam is to continue to be used. After June 30, 2019, registration with the old root certificate will no longer be possible. The Wi-Fi configuration can, of course, still be reset at any time after this date. There will be no further disadvantages in the case of late subsequent new setup, with the exception of the missing possibility of using eduroam; in particular, no security problems will result from this.
Which users need to change their Wi-Fi configuration for eduroam?
Not all users have to change their Wi-Fi configuration for eduroam, because many devices already include the new certificate and the associated external identity firstname.lastname@example.org in the Wi-Fi configuration for eduroam.
If you used the CAT tool provided by DFN-Verein when setting up eduroam access with an account managed by GWDG, your device may already have the new root certificate and the external identity email@example.com installed in the eduroam profile. For users who have installed the eduroam profile on their devices at https://cat.eduroam.org via the organisations “University of Göttingen” and “GWDG”, the new root certificate and the external identity firstname.lastname@example.org were already added to the CAT tool in autumn 2017. For the Max Planck Institutes, whose eduroam profiles are maintained by the GWDG at https://cat.eduroam.org, this was done in autumn 2018.
Unfortunately, the manual check as to whether the new root certificate and the external identity email@example.com have already been installed in the eduroam profile of a device differs greatly depending on the operating system used and is in many cases only cumbersome or even impossible without more precise expertise. We therefore recommend in any case that you set up your eduroam account as soon as possible if you cannot determine a clearly positive result.
How should the W-Fi configuration for eduroam be changed?
In order to enforce a stricter, roaming-compliant eduroam configuration in the future and to avoid errors, the eduroam access should no longer be set up manually if possible, but only with the help of the user-friendly CAT tools of the GÉANT organisation at https://cat.eduroam.org, which also includes the DFN-Verein. This allows the desired eduroam profiles to be quickly and securely installed over the network for all operating systems supported by DFN-Verein. The eduroam-CAT (eduroam Configuration Assistant Tool) provides automatic eduroam configuration wizards for Windows, macOS, Linux, Chrome OS, iOS and Android.
This also ensures that the new root certificate and - equally important - the external identity firstname.lastname@example.org are implemented in the eduroam profile. After June 30, 2019, only users with an external identity email@example.com will be able to log on to the Wi-Fi eduroam.
Instructions for downloading the CAT tool and setting up eduroam for the various operating systems are available here. If you have any questions regarding the conversion of Wi-Fi eduroam, please do not hesitate to contact us at https://www.gwdg.de/support or send an e-mail to firstname.lastname@example.org .