Certificates are one of the hardest parts of 802.1x/WPA2-Enterprise/EAP to understand. As well as cryptography being fundamentally quite tricky, there are lots of idiosyncrasies with various devices and operating systems. Generating certificates that meet all the various criteria takes time and lot of trial and error, mostly error.

This Generator is supposed to take some of the hassle out of it by providing a quick and simple way of producing the most simple possible set of certificates required to make Govroam and eduroam work as widely as possible.

The bare essentials are a Root CA, which is installed on the client and a server certificate/key pairing which are installed on the server. The Root CA on the client provides a chain of trust to ensure that the IdP is legitimate. The CRL is not strictly necessary but may help reduce client compatibility issues and normally it's left with an empty list of revoked certificates. The Root Key is provided in case you wish to generate more certificates or update the CRL.

Warning:This service is intended to provide certificates for testing and experimentation only. It's vital to protect your certificate chain integrity by ensuring that your private key and password are unknown to anyone else. We cannot guarantee this. A downloadable command line version is available to run locally (Python).

Fill in the form below with your site details. Or, if you prefer, you can leave it exactly as is. If the Root CA is installed on the client then even the most ardent Game of Thrones fan will not know what's in the certificate. The certificate details will only be visible if someone attempts to connect 'manually' i.e. without using the CAT, a mobileconfig file or any sort of pushed policy.

The C,ST,L,O,OU and CN entries are there by convention and not all necessary, Just a CN should work. The CN can be anything in the form of a hostname. It's not checked against the server hostname, nor against the DNS. It's just an ASCII dotted string.

There's a choice between 2048 and 4096 bit encryption. 2048 is the current minimum suggested but it won't be too long before 4096 is the default. However, 4096 can be slower to use and might not be as ubiquitous as 2048.

Two letter country code

Normally the country: England, Wales, Scotland, North Ireland

Area of the country, e,g. Manchester

Normally the company name. e.g. Jisc

Group with a company: e.g. Govroam

Hostname, but not necessarily that of the server. Can be anything.

URL to a file which provides the Revocation list.

Randomly generated passphrase - copy and paste somewhere safe

Notes

  • The Common Name (CN) does NOT have to be the FQDN of the server, unlike a web certificate.
  • You must NOT use a wildcard in the CN as some clients will fail
  • The CN is effectively just a name and the same server cert can be installed on multiple servers, unlike a web certificate
  • The CN SHOULD be in the format a.b.c, i.e. of a hostname (as opposed to 'A B C'). Some clients will complain if the syntax is wrong.
  • The data may be visible to the end user so choose the contents wisely.
  • The CN is automatically copied into the Subject Alt Name field, to make some clients happy
  • Installing the generated CRL on a server will make clients happy. Some won't like it if the CRL entry in the certificate exists but isn't valid. Other clients will fail if there isn't a CRL entry in the certificate
  • The certificates are x509 v3 SHA256 and valid for 100 years
  • The TLS Web Server Authentication extension is included
  • Make a note of your passphrase because it won't be referred to again and is definitely not recoverable
  • See EAP Server Certificates for more details.
  • Make a note of the passphrase!