Reference Document

WBA PKI Certificate Policy
Certificate Practise Statement

Service-Impacting Update on 3rd February, 2025

A service-impacting update to the OpenRoaming Federation is scheduled on 3rd February, 2025, at 00:00 UTC.

During this update, the WBA Issuing I-CA will transition from issuing certificates under the legacy root “wba-root0” to the new root “wba-root1.”

To ensure continued functionality, all operational systems are required to have their trust anchors updated with the new root to enable mTLS/Radsecusing certificates issued from the new chain.

Certificate Authorities

The following certificate authorities are operated according to the practices described in the above CPS. Distinguished Names are represented using the algorithm recommended in RFC 4514.

(Generate SHA-256 Fingerprint using command $openssl x509 -in root0.pem -noout -fingerprint -sha256)

WBA Root CAs

Company
Alias
Distinguished Name
SHA-256 Fingerprint
Certificate
Status
wba-root0 CN=openroaming.org, O=Cisco Systems, Inc., L=San Jose, S=California, C=US 40:99:6D:C4:74:0C:EB:FA:DC:3F:4B:9F:26:58:DA:73:2B:2A:F0:6D:71:96:CB:E1:92:43:09:A8:34:3B:5A:48 DER PEM Operational
wba-root1 CN=openroaming.org, O=Wireless Broadband Alliance, Inc., OU=OpenRoaming, L=San Ramon, S=California, C=US 8A:A0:3A:86:97:90:FE:D7:F9:08:E7:87:79:AE:0C:FD:09:66:1D:A4:2A:58:83:A7:7B:1B:65:17:27:E2:2E:6F DER PEM Pre-Staging: Operational by February 2025

Policy I-CAs Signed by the WBA Root CAs

signed by wba-root0
Company Logo
Alias
Distinguished Name
SHA-256 Fingerprint
Certificate
Status
wba-policy0 CN=openroaming.org, O=Wireless Broadband Alliance, OU=WBA,DNQ=WBA WRIX ECC Policy Intermediate CA-01, L=Singapore, S=Singapore,C=SG 49:36:70:CA:AB:FA:00:05:5E:57:99:15:38:2C:83:EA:E3:A3:A9:BB:D1:D8:AD:95:76:72:75:A6:B2:CD:00:8F DER PEM Operational
signed by wba-root1
Company Logo
Alias
Distinguished Name
SHA-256 Fingerprint
Certificate
Status
wba-policy1 CN=OpenRoaming Policy ICA, O=Wireless Broadband Alliance, Inc., OU=WBA,DNQ=WBA WRIX ECC Policy Intermediate CA-2, L=San Mateo, S=California,C=US F0:F5:6A:BF:51:1F:40:C9:B0:93:1E:FD:F9:83:E5:3A:1B:CA:2B:D2:7D:8E:8F:02:1A:E6:B2:83:F5:3F:28:43 DER PEM Pre-Staging: Operational by February 2025

Issuing I-CAs Signed by the WBA Policy I-CAs

signed by wba-policy0
Company Logo
Alias
Distinguished Name
SHA-256 Fingerprint
Certificate
Status
cisco-issuing0 CN= cisco.openroaming.org, O=Cisco Systems Inc., OU=DNASpaces, L=San Jose,S=California,C=US C6:24:94:33:6C:88:71:8F:99:CB:BC:7A:76:70:48:96:56:B8:27:DB:B6:7A:4F:B4:32:07:57:04:3A:2C:39:18 DER PEM Operational
google-issuing0 O=Google, OU=WBA, DNQ=WBA WRIX ECC Intermediate CA-1, C=US 69:31:2F:C2:2D:66:D9:63:53:2F:C0:73:6A:AE:25:30:D3:F4:00:C1:A2:5E:77:84:F6:4D:2D:40:03:21:8A:78 DER PEM Operational
kyrio-issuing0 CN=openroaming.org, O=Kyrio, Inc., OU=WBA, DNQ=WBA WRIX ECC Intermediate CA-2,C=US 6D:5E:FC:AD:96:67:62:3C:18:2D:23:6D:68:27:8E:43:FD:04:39:95:F4:6F:55:94:6C:B3:F6:EB:C0:95:E7:36 DER PEM New certificate issuing suspended
wba-issuing0 CN=openroaming.org, O=WBA, OU=WBA Issuing ICA, DNQ=WBA WRIX ECC Intermediate CA-4, L=San Mateo, S=California,C=US 10:5D:92:AB:1C:FD:9B:5A:73:97:37:F5:98:C1:22:46:DF:C5:40:CF:42:FD:59:C5:3D:AF:74:20:96:62:41:DC DER PEM Operational
signed by wba-policy1
Company Logo
Alias
Distinguished Name
SHA-256 Fingerprint
Certificate
Status
wba-issuing1 CN=OpenRoaming Issuing ICA, O=Wireless Broadband Alliance, Inc., OU=WBA, DNQ=WBA WRIX ECC Intermediate CA-5, L=San Mateo, S=California,C=US B9:6F:4B:AB:A1:16:E6:08:64:3B:FA:DB:82:80:00:49:F3:50:D7:1A:BD:F3:5C:1F:09:26:F8:D1:58:13:C3:3A DER PEM Pre-Staging: Operational by February 2025
cisco-issuing1 CN=OpenRoaming Cisco Issuing ICA, O=Cisco Systems, Inc., OU=WBA, DNQ=WBA WRIX ECC Intermediate CA-6, L=San Jose,S=California,C=US 8A:F1:D1:50:29:76:CE:49:50:AE:1F:4A:60:E9:63:A2:84:1E:DB:84:EA:AD:3C:C3:70:D0:0D:CF:65:91:ED:89 DER PEM Pre-Staging: Operational by February 2025

NOTE, for non-WBA operated Issuing I-CAs, please refer to the organization operating the Issuing I-CA for details related to their Certificate Practise Statement.

End-Entity certificates signed by the WBA’s Issuing I-CAs

signed by wba-issuing0

End-entity certificates are published directly to the requesting subscriber and are not listed here.

Requests and Problem Reporting

Certificate Requests

WBA members can request to become an OpenRoaming PKI Registration Authority and use the WBA’s Agent API to programmatically trigger the issuance of certificates. Please contact pmo@wballiance.com for more detils.

Alternatively, WBA members and partners can request to purchase OpenRoaming PKI certificates by filling out a form with their WBAID information and completing the payment process. Please follow this link for more information.

Revocation Requests

WBA members operating as an OpenRoaming PKI Registration Authority can use the WBA’s Agent API to programmatically trigger the revocation of certificates.

End-Entities may request revocation of their own certificates by emailing pki-revocation@wballiance.com.
All reports need to include sufficient detail to identify the specific certificates to be revoked. Requests must include a reason code as specified in the CPS.

General Questions

End-Entities and/or Relying Parties may email pki@wballiance.com with non-urgent questions about WBA PKI.
This email should not be used for revocation requests or other problem reporting related to certificates.