What is a WiFi certificate? How can I use it?
Recently my university updated the certificates for authenticating on their WiFi network. I was hesitant to accept it because I wasn't sure what accepting it entailed or even what it was and what it's used for.
Increasingly, wifi access points (or the portals which serve as "sign in" pages for visitors and guests) feature support for SSL certificates. These certificates are designed to serve a dual purpose:
- 1) Validation: They provide cryptographically-backed assurance to the visitor that the device they're connecting to genuinely belongs to the organisation they think they're connecting with.
- 2) Encryption: They serve to encrypt the connection between the client device and the server/host end (in this case, the wifi hosting device).
Just about every web browser comes pre-installed with dozens.. even hundreds of identity certificates that belong to Public (or External) Certificate Authorities (CA's) such as Verisign, Comodo, Digicert, etc. This is done mostly out of convenience so that when you connect to a site whose certificate is signed by one of these vendors, 99% of the general public will have their browsers recognize them as legitimate. However, most large private organisations at some point will want to deploy their own PKI for greater control and cost-savings. So they'll implement their own Certificate Authority. Then they'll configure the Microsoft network to push that internal CA's certificate onto all the organisation's client devices' Trust Stores. So now in addition to Digicert, Comodo, Verisign, that laptop or mobile device will now trust certificates signed by that internal CA.
That last step is crucial. If this is not done, visitors will see ugly error messages warning that the Certificate Isn't Trusted, or something like that. The certificate will still provide visitors with encryption, sure, but zero validation benefit. It's possible the university has deployed its own internal PKI, pushed certificates to its employee devices, and left students to scratch their heads, wondering, why is my web browser or client software throwing up errors when I try to connect? And that would make sense, especially since the University doesn't control your machine. It's likely because the University is using an internal PKI, and your device doesn't have their CA's certificate installed in your Certificate Trust Store. To solve this, just ensure that the certificate you're being presented with is authentic (you could call the service desk and confirm the certificate's fingerprint, if you know how to look for that--if not, look in the certificate details). Once you're certain, download the Root or Intermediate certificate and install that into your Trusted Root Store. You may have to restart your browser. Once that's done, however, you shouldn't see those errors anymore.
Here's a good article to reference regarding WiFi certificates: https://technet.microsoft.com/en-us/library/cc754841.aspx