The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Paetow <address@concealed>]

This has been taken off-list.

 

With kind regards

 

Stefan Paetow

Federated Roaming Technical Specialist

eduroam(UK), Jisc

 

email/teams: address@concealed

gpg: 0x3FCE5142

 

For eduroam support, please contact the eduroam team via address@concealed and mark it for eduroam’s attention.

I am not available on Mondays and Fridays between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).

 

Note: I don’t expect a reply outside of your working hours, since I work internationally with colleagues in different nationalities with different religions, customs, and holidays. Reply when it is convenient for you.

 

Jisc is a registered charity (in England and Wales under charity number 1149740; in Scotland under charity number SC053607) and a company limited by guarantee registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc's registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

 

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

 

For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice

 

 

From: Jacob Abegunde <address@concealed>
Date: Tuesday, 6 January 2026 at 12:14
To: "address@concealed" <address@concealed>
Cc: Stefan Paetow <address@concealed>, Jisc Service Desk <address@concealed>, Cert <address@concealed>
Subject: Eduroam Certificate Replacement

 

You don't often get email from address@concealed. Learn why this is important

Hello everyone,

 

We are replacing our Eduroam certificates and have encountered a problem that is difficult to resolve. Would anyone be kind enough to help or point us in the right direction?

 

Our current Eduroam certificate was purchased from Sectigo under the old Jisc framework. We wish to continue with Sectigo, so we bought a new certificate from them to replace the current one, which expires on 08/01/26.

 

After installing the new certificate last year, we encountered an issue: Windows clients could not connect to Eduroam because they did not trust the CA chain, which includes R36+R46+Root. We were unable to resolve the issue, so we had to roll back to the old certificate.

 

The error message is as follows:

 

###

Thu Dec 18 15:08:29 2025: INFO: Access rejected for address@concealed: EAP PEAP TLS error: tlsv1 alert unknown ca

Thu Dec 18 15:08:30 2025: ERR: EAP TLS error: -1, 1, 26,  43764: 1 - error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

####

 

We googled the issue and found that it is a known problem: the second certificate in the CA chain (the R46) is not widely trusted and is not trusted by Windows. All other clients, such as Apple iOS and Android, were okay.

 

We have raised a ticket with Sectigo, and yesterday I spent more than 3 hours in a session with their support team troubleshooting. The proposed solution is to remove R46 from the Windows trusted list by manipulating the certificate store on Windows clients. This worked on my laptop, but we have thousands of Windows users who do not know how to edit the certificate store, so it cannot be presented as a solution – it is not a scalable solution. Therefore, it remains an open case with Sectigo, who is researching a resolution, and time is running out on our old certificate, which expires on Thursday.

 

Has anyone come across this problem? Does anyone have a workaround or a solution? I would greatly appreciate any response.

 

Thank you.

 

Regards,

 

 

_______________________________________________________________________

 

Dr Jacob Abegunde

Network and Security Consultant (Library & Computing Services)

Visiting Lecturer, Computer Science (Cyber Security)

FHEA, PhD (Classical and Quantum-based Cyber Security),

MSc (Distributed Systems & Networks), BSc (Hons) (Computer Science)

School of Physics, Engineering and Computer Science (SPECS)

University of Hertfordshire, College Lane Campus, Hatfield, AL10 9AB

Email: address@concealed

_______________________________________________________________________