EDUROAM explanation

eduroam (the cross-institution wifi system) moved from a login based authentication system to a certificate based system in early 2022. Depending on your platform, you may either not have the option to use the automated installer thing, or may not want to (since... its a bit of a rootkit.)

Getting certs and keys

You will first need to get a valid certificate and private key from UW. Go to UW IT's eduroam-tls page, and select "User-Defined" so that it will just generate a cert, rather than a binary. Randomly generate a high-quality password for the private key, and store somewhere for later. Save the certificate as Client_cert.p12.

Once at the final page, also download the CA cert (save as CA_cert.pem).

Linux

For anyone using manual wpa_supplicant configurations, it is non-obvious how to interface with this new system.

p12 (pkcs12) is not a helpful format, since wpa_supplicant cannot parse it, so we need to extract the key and cert.

openssl pkcs12 -in Client_cert.p12 -out tmp_cert -clcerts
This will ask for a password, use the one you entered on UW IT's page. Now manually extract the cert and key from tmp_cert and save to separate files (Client_cert.pem and Client_key.key). You only need the blocks deliniated by "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" and similar for the key. Discard the rest.

Writing a wpa_supplicant config

My config is then as follows, modify only the lines with a *:

network={
  ssid="eduroam"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=TLS
  phase2="auth=PAP"
  identity="anonymous@uw.edu"
*  ca_cert="FULL_PATH_TO/CA_cert.pem"
*  client_cert="FULL_PATH_TO/Client_cert.pem"
*  private_key="FULL_PATH_TO/Client_key.key"
*  private_key_passwd="PASSWORD_YOU_CHOSE_EARLIER"
}
Good luck!

Android

You can do this with Android as well without too much trouble. Download the certs on your device as above. Then:

Windows

For windows you need to download the certs as above, then 'install' both certs (just double click them and follow the import instructions.) From there, if you try to connect to eduroam you can click "use certificate" and select your user certificate.