The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jacob Abegunde <address@concealed>]

Hello everyone,

 

We are replacing our Eduroam certificates and have encountered a problem that is difficult to resolve. Would anyone be kind enough to help or point us in the right direction?

 

Our current Eduroam certificate was purchased from Sectigo under the old Jisc framework. We wish to continue with Sectigo, so we bought a new certificate from them to replace the current one, which expires on 08/01/26.

 

After installing the new certificate last year, we encountered an issue: Windows clients could not connect to Eduroam because they did not trust the CA chain, which includes R36+R46+Root. We were unable to resolve the issue, so we had to roll back to the old certificate.

 

The error message is as follows:

 

###

Thu Dec 18 15:08:29 2025: INFO: Access rejected for address@concealed: EAP PEAP TLS error: tlsv1 alert unknown ca

Thu Dec 18 15:08:30 2025: ERR: EAP TLS error: -1, 1, 26,  43764: 1 - error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

####

 

We googled the issue and found that it is a known problem: the second certificate in the CA chain (the R46) is not widely trusted and is not trusted by Windows. All other clients, such as Apple iOS and Android, were okay.

 

We have raised a ticket with Sectigo, and yesterday I spent more than 3 hours in a session with their support team troubleshooting. The proposed solution is to remove R46 from the Windows trusted list by manipulating the certificate store on Windows clients. This worked on my laptop, but we have thousands of Windows users who do not know how to edit the certificate store, so it cannot be presented as a solution – it is not a scalable solution. Therefore, it remains an open case with Sectigo, who is researching a resolution, and time is running out on our old certificate, which expires on Thursday.

 

Has anyone come across this problem? Does anyone have a workaround or a solution? I would greatly appreciate any response.

 

Thank you.

 

Regards,

 

 

_______________________________________________________________________

 

Dr Jacob Abegunde

Network and Security Consultant (Library & Computing Services)

Visiting Lecturer, Computer Science (Cyber Security)

FHEA, PhD (Classical and Quantum-based Cyber Security),

MSc (Distributed Systems & Networks), BSc (Hons) (Computer Science)

School of Physics, Engineering and Computer Science (SPECS)

University of Hertfordshire, College Lane Campus, Hatfield, AL10 9AB

Email: address@concealed

_______________________________________________________________________