What are WiFi certificates used for? What are they?

  • Recently my university updated the certificates for authenticating on their WiFi network. I was hesitant to accept it because I wasn't sure what accepting it entailed or even what it was and what it's used for.

    There wasn't any general question about them as far as my search revealed, so I was hoping someone could shed some general light and point me in the right direction of learning more.

    Did you google wifi certificates? There seem to be lots of answers there.

    By "wifi certificates", do you mean "WPA Enterprise", or do you mean some sort of captive-portal system?

  • Daniel

    Daniel Correct answer

    6 years ago

    Increasingly, wifi access points (or the portals which serve as "sign in" pages for visitors and guests) feature support for SSL certificates. These certificates are designed to serve a dual purpose:

    1) Validation: They provide cryptographically-backed assurance to the visitor that the device they're connecting to genuinely belongs to the organization they think they're connecting with.

    2) Encryption: They serve to encrypt the connection between the client device and the server/host end (in this case, the wifi hosting device).

    Just about every web browser comes pre-installed with dozens.. even hundreds of identity certificates that belong to Public (or External) Certificate Authorities (CA's) such as Verisign, Comodo, Digicert, etc. This is done mostly out of convenience so that when you connect to a site whose certificate is signed by one of these vendors, 99% of the general public will have their browsers recognize them as legitimate.

    However, most large private organizations at some point will want to deploy their own PKI for greater control and cost-savings. So they'll implement their own Certificate Authority. Then they'll configure the Microsoft network to push that internal CA's certificate onto all the organization's client devices' Trust Stores. So now in addition to Digicert, Comodo, Verisign, that laptop or mobile device will now trust certificates signed by that internal CA.

    That last step is crucial. If this is not done, visitors will see ugly error messages warning that the Certificate's Not Trusted, or something like that. The certificate will still provide visitors with encryption, sure, but zero validation benefit. It's possible the university has deployed its own internal PKI, pushed certificates to its employee devices, and left students to scratch their heads, wondering, why is my web browser or client software throwing up errors when I try to connect? And that would make sense, especially since the University doesn't control your machine.

    It's likely because the University is using an internal PKI, and your device doesn't have their CA's certificate installed in your Certificate Trust Store. To solve this, just ensure that the certificate you're being presented with is authentic (you could call the service desk and confirm the certificate's fingerprint, if you know how to look for that--if not, look in the certificate details). Once you're certain, download the Root or Intermediate certificate and install that into your Trusted Root Store. You may have to restart your browser. Once that's done, however, you shouldn't see those errors anymore.

    Here's a good article to reference: https://technet.microsoft.com/en-us/library/cc754841.aspx

    Thanks, does this enable the university to do man-in-the-middle attack?

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM