Device Wifi: Certificate Authentication (Alpha)
What is Certificate Authentication
GovWifi requires a user to have either a government email address, be sponsored by someone with a government email address, or have a mobile phone number. Many users re-used their own personal username and password multiple times for managed devices as a workaround for not having a certificate based system to use. However with certificate based authentication it means that a device can connect rather than a person, this removes the need to remember a username and password everytime you want to connect to the internet. This then also solves the problem of IT manager’s needing to connect dozens of managed devices.
How it works
- Register your organisation with the GovWifi Admin portal and setup the “GovWifi” SSID on your local network.
- Setup a “Certificate Authority” using a Public Key Infrastructure (PKI) software tool. This allows the organisation to sign certificates.
- Using your PKI, sign client certificates.
- Provide us with your root CA certificate used to sign these client certificates.
- Devices can now connect to the internet via GovWifi wherever GovWifi is offered. However when connecting to GovWifi that EAP-TLS is selected.
Where is the code
- You can find the code for Certificate Authentication within the govwifi-frontend repo
- You can find where the EAP-TLS is handled in FreeRADIUS here
- You can find the folder where the root CA certificates are held here
- Organisations may send us CA certificates that either don’t have the full chain of trust or aren’t actually the CA certs that signed the client certs
- For organisations with limited IT resources GovWifi Devices is more difficult to set up and manage.
- For organisations using a Windows operating system, GovWifi Devices is more difficult to set up.
- Organisations have a lack of knowledge about how certificate authentication works, specifically around openSSL
- The time taken to receive certificates from organisations is much longer than anticipated.
- Organisations are having to seek security permissions and sign-off from decision makers, before they can send their certificate.
- The process of receiving certificates by email and uploading them manually is time consuming for service developers.
- Organisations may be unaware that certificates expire, which could generate a support load from end-users that is unmanageable for service developers.
For more information about the user research that has gone into Certificate Authentication thus far click here