The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Paul Dekkers <address@concealed>]

Hi Patrice,

On 15/10/2025 12:07, Patrice Peterson wrote:
> Dear list,
>
> I am an administrator with a DFN member university (and, by 
> association, GÉANT). We take part in the Eduroam network. Yesterday we 
> replaced our Sectigo RADIUS certificates with ones from Harica, and we 
> encountered an issue where Windows 11 clients were unable to connect 
> to the Eduroam network, due to the presence of a cross cert leading 
> Windows down the wrong trust path.
>
> For illustration, I have attached one of our Radius server cert chains 
> that exhibit the issue ('radius3.xd.uni-halle.de.fullchain.pem') and 
> the root cert which we are configuring as a trust anchor in the 
> Eduroam CAT tool ('HARICA-TLS-Root-2021-ECC.pem').
>
> The issue appears to be that Windows clients choose the wrong trust 
> path: Because of the cross cert in the chain, Windows clients choose 
> the longer path and end up at HARICA's 2015 root cert instead of the 
> 2021 one which we have configured. On newer (Win11) systems, the 2015 
> root cert is not present anymore, resulting in a 'root certificate 
> invalid' error. A newer Android client, using the same CAT profile, 
> does not exhibit this problem and correctly chains to the 2021 root cert.

Re "the 2015 root is not present anymore" - I wonder if that's because 
Windows never had an HTTP session to a peer using this CA.

By default, Windows has no CAs available whatsoever: only after a 
connection attempt, Windows will download them. Apparently you had this 
with the 2021 root (via a browser) but not the 2015. We had a similar 
situation with Sectigo and the AAA root compared to the USERTrust roots, 
but that was a very common CA, so most people had AAA even just after 
installing Windows (yet it was still not available if you installed 
Windows without any connectivity I recall).

But I think it would work on Windows if you set the root in CAT to the 
2015 one? This is what we advised on that HARICA page in the wiki, right?

Now I wonder if CAT wouldn't install it, but the CAT installer may do 
something different compared to geteduroam: but geteduroam's Windows 
client actually tries to install the root certificate from the CAT 
profile if it's not present. (It gives you a warning, but for these 
public CAs we'd expect the CAs to be present anyway.)

> The Microsoft documentation mentions [1] that this is 'by design' and 
> suggests removing the cross cert from the client as a workaround. This 
> is not a workable suggestion in the context of our Eduroam 
> configuration, so we have decided to remove the cross cert from the 
> RADIUS server cert chain instead. With that, Windows clients appear to 
> choose the (newer, shorter) path to the 2021 root certificate, and the 
> issue goes away.
>
> Aside from removing the cross cert from the server chain -- which our 
> PKI admins hesitate to do --, is there something else we can do here?

I understand the hesitation, I think removing the 2015 one will make 
connections on Android harder, if done with trust-on-first-use in 
particular. Including the 2021 -> 2015 intermediate is in fact what we 
advised on the HARICA page you found on the wiki. I think it should also 
work on newer Windows 11's, but I'd love to hear if that issue persists,

Regards,
Paul


> Best regards,
> Patrice Peterson
> MLU
>
> [1]: 
> https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/secured-website-certificate-validation-fails