Reference Document
Service-Impacting Update on 3rd February, 2025
A service-impacting update to the OpenRoaming Federation is scheduled on 3rd February, 2025, at 00:00 UTC.
During this update, the WBA Issuing I-CA will transition from issuing certificates under the legacy root “wba-root0” to the new root “wba-root1.”
To ensure continued functionality, all operational systems are required to have their trust anchors updated with the new root to enable mTLS/Radsecusing certificates issued from the new chain.
Certificate Authorities
The following certificate authorities are operated according to the practices described in the above CPS. Distinguished Names are represented using the algorithm recommended in RFC 4514.
(Generate SHA-256 Fingerprint using command $openssl x509 -in root0.pem -noout -fingerprint -sha256)
WBA Root CAs
Company |
Alias |
Distinguished Name |
SHA-256 Fingerprint |
Certificate |
Status |
|---|---|---|---|---|---|
 |
wba-root0 | CN=openroaming.org, O=Cisco Systems, Inc., L=San Jose, S=California, C=US | 40:99:6D:C4:74:0C:EB:FA:DC:3F:4B:9F:26:58:DA:73:2B:2A:F0:6D:71:96:CB:E1:92:43:09:A8:34:3B:5A:48 | DER PEM | Operational |
|
wba-root1 | CN=openroaming.org, O=Wireless Broadband Alliance, Inc., OU=OpenRoaming, L=San Ramon, S=California, C=US | 8A:A0:3A:86:97:90:FE:D7:F9:08:E7:87:79:AE:0C:FD:09:66:1D:A4:2A:58:83:A7:7B:1B:65:17:27:E2:2E:6F | DER PEM | Pre-Staging: Operational by February 2025 |
Policy I-CAs Signed by the WBA Root CAs
signed by wba-root0
Company Logo |
Alias |
Distinguished Name |
SHA-256 Fingerprint |
Certificate |
Status |
|---|---|---|---|---|---|
|
wba-policy0 | CN=openroaming.org, O=Wireless Broadband Alliance, OU=WBA,DNQ=WBA WRIX ECC Policy Intermediate CA-01, L=Singapore, S=Singapore,C=SG | 49:36:70:CA:AB:FA:00:05:5E:57:99:15:38:2C:83:EA:E3:A3:A9:BB:D1:D8:AD:95:76:72:75:A6:B2:CD:00:8F | DER PEM | Operational |
signed by wba-root1
Company Logo |
Alias |
Distinguished Name |
SHA-256 Fingerprint |
Certificate |
Status |
|---|---|---|---|---|---|
|
wba-policy1 | CN=OpenRoaming Policy ICA, O=Wireless Broadband Alliance, Inc., OU=WBA,DNQ=WBA WRIX ECC Policy Intermediate CA-2, L=San Mateo, S=California,C=US | F0:F5:6A:BF:51:1F:40:C9:B0:93:1E:FD:F9:83:E5:3A:1B:CA:2B:D2:7D:8E:8F:02:1A:E6:B2:83:F5:3F:28:43 | DER PEM | Pre-Staging: Operational by February 2025 |
Issuing I-CAs Signed by the WBA Policy I-CAs
signed by wba-policy0
Company Logo |
Alias |
Distinguished Name |
SHA-256 Fingerprint |
Certificate |
Status |
|---|---|---|---|---|---|
 |
cisco-issuing0 | CN= cisco.openroaming.org, O=Cisco Systems Inc., OU=DNASpaces, L=San Jose,S=California,C=US | C6:24:94:33:6C:88:71:8F:99:CB:BC:7A:76:70:48:96:56:B8:27:DB:B6:7A:4F:B4:32:07:57:04:3A:2C:39:18 | DER PEM | Operational |
 |
google-issuing0 | O=Google, OU=WBA, DNQ=WBA WRIX ECC Intermediate CA-1, C=US | 69:31:2F:C2:2D:66:D9:63:53:2F:C0:73:6A:AE:25:30:D3:F4:00:C1:A2:5E:77:84:F6:4D:2D:40:03:21:8A:78 | DER PEM | Operational |
 |
kyrio-issuing0 | CN=openroaming.org, O=Kyrio, Inc., OU=WBA, DNQ=WBA WRIX ECC Intermediate CA-2,C=US | 6D:5E:FC:AD:96:67:62:3C:18:2D:23:6D:68:27:8E:43:FD:04:39:95:F4:6F:55:94:6C:B3:F6:EB:C0:95:E7:36 | DER PEM | New certificate issuing suspended |
|
wba-issuing0 | CN=openroaming.org, O=WBA, OU=WBA Issuing ICA, DNQ=WBA WRIX ECC Intermediate CA-4, L=San Mateo, S=California,C=US | 10:5D:92:AB:1C:FD:9B:5A:73:97:37:F5:98:C1:22:46:DF:C5:40:CF:42:FD:59:C5:3D:AF:74:20:96:62:41:DC | DER PEM | Operational |
signed by wba-policy1
Company Logo |
Alias |
Distinguished Name |
SHA-256 Fingerprint |
Certificate |
Status |
|---|---|---|---|---|---|
|
wba-issuing1 | CN=OpenRoaming Issuing ICA, O=Wireless Broadband Alliance, Inc., OU=WBA, DNQ=WBA WRIX ECC Intermediate CA-5, L=San Mateo, S=California,C=US | B9:6F:4B:AB:A1:16:E6:08:64:3B:FA:DB:82:80:00:49:F3:50:D7:1A:BD:F3:5C:1F:09:26:F8:D1:58:13:C3:3A | DER PEM | Pre-Staging: Operational by February 2025 |
|
cisco-issuing1 | CN=OpenRoaming Cisco Issuing ICA, O=Cisco Systems, Inc., OU=WBA, DNQ=WBA WRIX ECC Intermediate CA-6, L=San Jose,S=California,C=US | 8A:F1:D1:50:29:76:CE:49:50:AE:1F:4A:60:E9:63:A2:84:1E:DB:84:EA:AD:3C:C3:70:D0:0D:CF:65:91:ED:89 | DER PEM | Pre-Staging: Operational by February 2025 |
NOTE, for non-WBA operated Issuing I-CAs, please refer to the organization operating the Issuing I-CA for details related to their Certificate Practise Statement.
End-Entity certificates signed by the WBA’s Issuing I-CAs
signed by wba-issuing0
End-entity certificates are published directly to the requesting subscriber and are not listed here.
Requests and Problem Reporting
Certificate Requests
WBA members can request to become an OpenRoaming PKI Registration Authority and use the WBA’s Agent API to programmatically trigger the issuance of certificates. Please contact pmo@wballiance.com for more detils.
Alternatively, WBA members and partners can request to purchase OpenRoaming PKI certificates by filling out a form with their WBAID information and completing the payment process. Please follow this link for more information.
Revocation Requests
WBA members operating as an OpenRoaming PKI Registration Authority can use the WBA’s Agent API to programmatically trigger the revocation of certificates.
End-Entities may request revocation of their own certificates by emailing pki-revocation@wballiance.com.
All reports need to include sufficient detail to identify the specific certificates to be revoked. Requests must include a reason code as specified in the CPS.
General Questions
End-Entities and/or Relying Parties may email pki@wballiance.com with non-urgent questions about WBA PKI.
This email should not be used for revocation requests or other problem reporting related to certificates.
