Eduroam requires installation of a CA Certificate - can they decrypt TLS traffic?

This CA Root certificate skole.hr is not an official Eduroam certificate, but a CA certificate probably from the school that implements Eduroam WiFi. It's also plausible that this is a completely unrelated 3rd party CA certificate used for spying; we can't distinguish that with certainty.

While it might be used for WiFi authentication, as the WPA_EAP_TTLS_PAP suggests, installed as a trusted CA it might be used for signing any certificate. If you install the CA you trust whoever is behind it, and they could use it on an intercepting HTTPS proxy, among many things.

If your only intention is to connect to the WiFi, it would be possible to skip installing the certificate altogether, just trust any certificate for this connection, and use the Internet access with caution, just as you'd use any free WiFi. However, as this might compromise the account you are using for the WiFi, the best choice would be limiting the usage of the CA only for the WiFi authentication, as explained in the answers from multithr3at3d and Ángel.


First, Android provides two distinct import options for a reason.VPN and Apps is for general HTTPS traffic from all of your apps, including browsers. You can install your own CAs here if you want to intercept your own traffic, for example. WiFi is for identifying enterprise WiFi networks, but does not affect normal traffic, to my knowledge. This brings us to the next part.

You should always specify a CA certificate when you connect to enterprise WiFi networks. 802.1X supports a number of authentication protocols (e.g. EAP-TLS); the CA is typically used to verify the authentication server's certificate. If you do not specify a CA, your client will accept whatever server it talks to. The result, depending on authentication type, is that you may be handing over plaintext credentials (your credentials for your eduroam-participating organization) to an attacker. This can be done easily with an evil twin attack, using a tool such as EAPHammer. There is nothing stopping someone from performing this attack with the eduroam ESSID and stealing your credentials. For this reason, you should always specify a CA when connecting.


is "Installed for Wi-Fi" which I assume means that the credential is applied to all WiFi traffic.

No. It doesn't mean this.

There are several ways in which a WiFi network may authenticate a user. The most common ones are:

  • WPA-PSK Both parties use a Pre-Shared Key to authenticate themselves. That is the mechanism for all those that use just a password. Anyone knowing the password may connect to the WiFi. As well as impersonating the WiFi by creating another one with the same name.
  • WPS (Wi-Fi Protected Setup) This allows the use of a short PIN to recover the full PSK password. Insecure.
  • WPA-802.1X (WPA-Enterprise) Users authenticate with a pair of User/Password against a RADIUS server.
  • Captive portal. Actually not a way for authenticating users to the WiFi network, but an authentication atop of an open WiFi.

Whenever you want to securely authorize a large number of users, you should be using WPA-802.1X - which is what Eduroam does. This will require that you send the Access Point (AP) a user and password. These credentials (which may be even the same that you use to authenticate to your University for e.g. email) should be protected. However, an evil actor could set up an AP named Eduroam in order to have your Computer/Phone connect to it (i.e. provide it your Eduroam credentials). The way for your device to identify that this is the legitimate AP is to check a certificate presented by it. Just like those used to authenticate a server in HTTPS. The certificate you were given is the one used by the AP (or, as in your case, a parent certificate that signs those of the AP).

Modern phones store these certificates separately from global CA, so you add the certificate to the WiFi connection, rather than installing a CA that could sign websites. This is why it shows it is "Installed for Wi-Fi". It doesn't mean it is allowed to sign the certificates of HTTPS pages when they are accessed through Wi-Fi. It means that it will only be used to certify the Wi-Fi connection.

Once you are connected to the Wi-Fi, your apps will use the normal CA bundle to validate server certificates (just as when not using Wi-Fi).

In summary, with this certificate, only installed for Wi-Fi on your device, will not allow them to snoop on your encrypted (HTTPS) traffic (any more than they could without the certificate installed), and in fact you should install it to avoid releasing your credentials to a rogue AP.

PS: As a side note, a 1024 bit RSA certificate using sha1 is considered dated nowadays, they should update it. Which they will be forced to do anyway before Nov 21 2021.