Almost all EAP types in eduroam (with the exception of EAP-PWD) require an X.509 server certificate with which the RADIUS server identifies itself to the end user before the user sends his their credentials to the server.
...
In a generic web server context, server certificates are usually required to be procured by a commercial Certification Authority (CA) operator; self-made certificates trigger an "Untrusted Certificate" warning. It makes sense for browsers to have a pre-configured trust store with many well-known CAs because the user may browse to any website; and the operator of that website may have chosen any of those well-known CAs for his their website. In an abstract notion, one can say: it is required to have many CAs in the list because the user device does not have all required information for certificate validation contained in its own setup; it misses the information "which CA did the server I am browsing to use to certify the genuinity of his website?".
These considerations are not at all true in an EAP authentication context, such as an eduroam login. Here, the end user device is pre-provisioned with the entire set of information it needs to verify this specific TLS connection: the IdP has a certificate from exactly one CA, and needs to communicate both that CA and the name of his their authentication server to the end user. A trust store list from the web browser is thus insignificant in this context; certificates from a commercial CA are as valid for EAP authentications as are self-made certificates or certificates from a small, special-purpose CA. For a commercial CA, the installation of the actual CA file may be superfluous in some client operating systems (particularly those who make their "web browser" trust store also accessible for EAP purposes), but marking that particular CA as trusted for this specific EAP authentication setup still needs to be done.
...
Factors to consider for a creating and use using a private CA to issue a private Server certificatecertificates:
- Do you have the necessary expertise to create a self-signed certificate; or to set up a private Certification Authority and issue a server certificate with it?
- For details on properties to impose on the the certificate, see "Consideration 2: Recommended certificate properties" below
- Does your eduroam NRO operate a special-purpose CA for eduroam purposes so that you could get a professionally crafted certificate without much hassle?
- Do your end-user devices all verify the exact server identity (issuing CA certificate AND expected server name)?
...
Another factor to consider when making the decision private vs. commercial CA is that of size and length of the EAP conversation during every login: with a private CA, you will be able to construct a certificate chain without intermediary CA certificates; requiring less bytes to be transmitted inside the EAP conversation (see Consideration 3, below). This results in fewer EAP round-trips and thus a faster authentication.
As a general recommendationRecommendations:
- if you have the required expertise: it it is suggested to set up a private CA exclusively to issue an appropriate IdP' IdP Server certificate for the eduroam RADIUS server
- Qualities a private CA possesses:
- A very long lifetime to prevent certificate rollover problems.
- Presence of Basic Constraints CA:TRUE per RFC5280, section 4.2.1.9 to satisfy the required validation of the CA such that it can use it appropriately
- The CA should issue only server certificates for your eduroam IdP server(s).
- Qualities a private CA possesses:
- If you do not have expertise: consider making use of your NROs special-purpose CA, if one exists.
- If none of these work for you: a certificate from a commercial CA is a commonly used third option.
...