WBA OpenRoaming certificates now issued or renewed using the new WBA Root Certificate Authority chain
At 00:00 UTC (beginning of the day) on 3rd of Febuary 2025 Wireless Broadband Alliance (WBA) switched to issuing OpenRoaming certificates using new WBA Root Certificate Authority (CA) chain. This means that all OpenRoaming certificates, which are renewed or issued on 3rd of February 2025 or later, use the new WBA Root CA chain.
Although WBA planned and informed OpenRoaming Identity Providers (IdP) and Access Network Providers (ANP) about the planned change, there are OpenRoaming ANPs and IdPs, which have not updated their RADIUS/RadSec server configurations to accept both the old and new WBA root CA certificate chain for RadSec connections.
This means for example that IdP customers of the IdP using the new root chain issued certificate are not able to roam in the ANP networks, which do not accept IdP's new RadSec server certificate if it is issued by the new WBA Root CA chain. If an IdP does not accept the new WBA Root CA verified RadSec client certificates for connections originating from the ANP's Wi-Fi network, that IdP's customers are not able to roam into that ANP's Wi-Fi network.
If ANPs and IdPs do not update their inbound and outbound RADIUS/RadSec connections to accept both the old and new WBA Root CA chain certificates, when new OpenRoaming certificates are issued or old ones are renewed, gradually the roaming connections with those ANPs and IdPs deteriorate.
How to update Radiator OpenRoaming deployment to use the new WBA Root CA chain?
- Directory for CA certificates used for verifying inbound OpenRoaming connections from other OpenRoaming ANPs to your server: /etc/radiator/certificates/radsec_inbound_openroaming/ca
- Directory for CA certificates used for verifying the OpenRoaming IdP server certificates for RadSec connections used to authenticate those IdPs users roaming in your network: /etc/radiator/certificates/etc/radiator/certificates/radsec_outbound_openroaming/ca
First install the new WBA Root CA to the CA directory for verifying inbound OpenRoaming RadSec connections:
cd /etc/radiator/certificates/radsec_inbound_openroaming/ca wget https://wballiance.com/wp-content/uploads/2024/05/wba-root1.pem chown root:radiator wba-root1.pem chmod 644 wba-root1.pem openssl rehash -v .
And then install the new WBA Root CA to the CA directory for verifying the IdP servers responding to outbound OpenRoaming RadSec connections:
cd /etc/radiator/certificates/radsec_outbound_openroaming/ca wget https://wballiance.com/wp-content/uploads/2024/05/wba-root1.pem chown root:radiator wba-root1.pem chmod 644 wba-root1.pem openssl rehash -v .
After installing the certificates, it is recommended to restart the Radiator instances responsible of handling the connections with:
systemctl restart radiator@radsec_inbound_openroaming systemctl restart radiator@radsec_outbound_openroaming
or all Radiator instances with:
systemctl restart radiator-instances
If you are deploying Radiator OpenRoaming Configuration from scratch, you should also download and install wba-root0.pem from the WBA PKI repository by following the above instructions but replacing the wget command, which retrieves the certificate with:
wget https://wballiance.com/wp-content/uploads/2024/05/wba-root1.pem
All other commands should be executed as described above for both directories.
As a result you now have a Radiator OpenRoaming configuration, which supports both the old and the new WBA Root CA chain. You can read more about Radiator OpenRoaming configuration from the Radiator OpenRoaming Configuration Guide. There are also new useful updates to the Radiator OpenRoaming configuration template files done in January 2025.
