IT Center Blog

Quelle: Pixabay

Have you ever wondered what a security certificate actually does? And why is it so important? In the following article we would like to give you answers to these questions.

Our university WLAN eduroam is available on the entire campus of RWTH Aachen University. Even at the end of track 2 at main station you have a connection to the fast and secure network of the university. In total, we expect about 133,000 devices to be connected to the eduroam network.

But how does the secure connection to eduroam work? After all, the connection to the network takes place automatically as soon as our mobile devices detect a nearby network with the name “eduroam”.

What does a security certificate actually do?

And this is exactly where the security certificate comes into play. Your eduroam access data must be transmitted to the RWTH authentication server (RADIUS). Since this connection is encrypted in eduroam, your access data is secure during the transmission.

But do you know if your credentials are sent to the correct authentication server?

 

This task is performed by the security certificate of the Radius server. If, for example, you have used the CAT tool to configure your eduroam access on your device, the name of the Radius server and the root certificate of the certification chain will be entered/installed on your device.

Based on the names, your device checks whether the correct Radius server is addressed. In addition, based on the root certificate, the TLS protocol checks whether the Radius server is using a certificate that was issued by your trusted certification authority (CA).

You express this trust when you install the root certificate on your device. This means:

Install it once and trust it implicitly every time you connect.

With this root certificate, a conversion is now necessary. The “Deutsche Telekom Root CA 2“ certificate expires on Tuesday, July 9, 2019, at 23:59:00 GMT. This means, all eduroam devices, which only trust this certificate, will no longer be able to access the network after July 7, 2019, because the connection to the Radius server is no longer trusted.

But don’t worry, because the Radius server at RWTH is already working with both security certificates attached to different chains. The old one, which expires on July 09, 2019, and the new one, which is valid until October 1, 2033.

You can already switch to the new chain by changing the eduroam configuration of your devices to the new certificate.

Why is it so important to change the access data?

A further security aspect for the protection of your data is to encrypt it. In principle, it is currently still possible to use eduroam access data to draw conclusions about your personal information. The eduroam Device Manager provides a remedy by generating individual access data for each of your devices – without revealing your user name or password.

Therefore, the login will be changed on June 04, 2019. This in connection of the certificate conversion. A connection to the eduroam network is then only possible with secure access data from the eduroam Device Manager, which does not allow any inference to personal information (e.g. your user ID ab123456@rwth-aachen.de). Here as well, it is possible and sensible to change the access data as soon as possible.

We attach great importance to security and want you to remain online. For this reason, we already recommend creating secure access data with the eduroam Device Manager in conjunction with the new security certificate for your mobile devices.

We are aware that all of this means additional work for you, so we have put a lot of effort into the instructions. You can find out how to safely configure eduroam on IT Center Help.

We thank you for your understanding and look forward to your feedback!

Responsible for the content of this article is Nicole Filla with the kind support of Ekaterini Papachristou.

Kategorie: IT-Security, Employees, Support, Services & Updates, Students
Kommentare und Trackbacks sind geschlossen