Certificates are one of the hardest parts of 802.1x/WPA2-Enterprise/EAP to understand. As well as cryptography being fundamentally quite tricky, there are lots of idiosyncrasies with various devices and operating systems. Generating certificates that meet all the various criteria takes time and lot of trial and error, mostly error.
This Generator is supposed to take some of the hassle out of it by providing a quick and simple way of producing the most simple possible set of certificates required to make Govroam and eduroam work as widely as possible.
The bare essentials are a Root CA, which is installed on the client and a server certificate/key pairing which are installed on the server. The Root CA on the client provides a chain of trust to ensure that the IdP is legitimate. The CRL is not strictly necessary but may help reduce client compatibility issues and normally it's left with an empty list of revoked certificates. The Root Key is provided in case you wish to generate more certificates or update the CRL.
Fill in the form below with your site details. Or, if you prefer, you can leave it exactly as is. If the Root CA is installed on the client then even the most ardent Game of Thrones fan will not know what's in the certificate. The certificate details will only be visible if someone attempts to connect 'manually' i.e. without using the CAT, a mobileconfig file or any sort of pushed policy.
The C,ST,L,O,OU and CN entries are there by convention and not all necessary, Just a CN should work. The CN can be anything in the form of a hostname. It's not checked against the server hostname, nor against the DNS. It's just an ASCII dotted string.
There's a choice between 2048 and 4096 bit encryption. 2048 is the current minimum suggested but it won't be too long before 4096 is the default. However, 4096 can be slower to use and might not be as ubiquitous as 2048.