Exchange of the WiFi Security Certificate

In order to exchange the WiFi security certificate on your end devices, it is necessary to set up the WiFi connections on your devices again. How to set up a new WiFi connection is explained in the following operating system specific instructions.

The reason for the necessary re-setup of the WiFi profiles is the expiration of the security certificate "Deutsche Telekom Root CA 2" on 9th July 2019, which will be replaced with the new security certificate "T-Telesec Global Root Class 2" (valid until 2033). The new certificate is included in the profiles to which the following instructions refer.

The usage of the new WiFi profiles eventually requires a one-time login with your WiFi password. If you don't have your WiFi password at hand, you can set a new one at https://registry.desy.de/registry.

If you should have questions or problems the UCO is at your service (contact data see below).

Windows (mit DSM/NetInstall)

Installation unsing DSM/NetInstall Software Shop

If you are using a DESY standard device with Windows, you may install the needed WiFi profiles using the DSM/NetInstall Software Shop. Open NetInstall/DSM, click on "Available Software" and chose the software category "Communication". Afterwards chose the Package "WiFi Profiles" (see Figure 1) and click on Install. Chose the shopping cart symbol on the upper right corener and in the newly opened window click on "Ok". Afterwards the new WiFi Profiles "DESY_v2" and "eduroam_v2" are available in the list of WiFi networks.

Figure 1

If you connected successfully with the new WiFi profiles, you may delete the old WiFi profiles "DESY" and "eduroam". To do this, please open the WiFi list and right click on "forget" (see Figure 2).

Figure 2

Windows (ohne DSM/NetInstall)

Manual Installation (without DSM/NetInstall)

If you have a Windows device without DSM/NetInstall Software Shop, the WiFi profiles have to be installed manually. To install the needed WiFi profiles manually on Windows operating systems, first click on the link below to download the WiFi profiles for Windows, these profiles will have to be installed on your system in order to setup a new WiFi configuration. The procedure how to install these WiFi profiles is described in the following.

application/x-zip-compressed DESYWiFi-profile-import.zip (5KB)
DESY WiFi profiles for Windows

After clicking on the link above, you will be asked whether you want to save the file or open it directly (see Figure 1). Save the file (for example on your desktop).

Figure 1

Then extract the folder in the file by right-clicking on the ZIP file and selecting the menu item "Extract all..." (see Figure 2).

Figure 2

Afterwards a new directory "DESYWiFi-profile-import" should be available to you. Open it with a double click, then you should see the directories "Windows 7" and "Windows 10" (see figure 3).

Figure 3

Then open the "Windows 7" or "Windows 10" directory, depending on which version of Windows is currently running on your device. These directories contain two files with the file extension .bat, with the following names

  •     import WLAN_eduroam (...)
  •     import WLAN_DESY (...)

 

Depending on whether you want to install the WiFi profile for the WiFi network eduroam or DESY, double-click on the file named with the desired WiFi network name. If you want to use both wireless networks, you will have to install both profiles.

Afterwards open the list of WiFi networks using the WiFi icon in the lower right corner of the taskbar (see Figure 4).

Figure 4

If the installation of the new WiFi profile was successful, you will see a new profile named eduroam_v2 or DESY_v2 in the list of WiFi networks. Select this profile and click on the "Connect" button (see Figure 5).

Figure 5

You will then be asked to enter your WiFi credentials. These are:

  •     Username: accountname@desy.de
  •     Password: The WiFi password for the used account

 

Please replace accountname with the DESY account name you want to use for the connection. Then click on the "OK" button to confirm your entries (see Figure 6).

Figure 6

After entering your login information, a connection should be established successfully. You can check the status of the connection in the list of WiFi networks. The message "Connected, secured" must be displayed directly below the profile name (see Figure 7).

Figure 7

If you connected to the WiFi network with the new WiFi profile successfully, please remove the old one. If you installed the new DESY WiFi Profile "DESY_v2", please delete the old WiFi profile "DESY". Otherwise, if you installed the new eduroam WiFi profile "eduroam_v2", remove the old "eduroam" WiFi profile. You can do this by right clicking on the old profile "DESY" or "eduroam" and chosing "do not save" (see Figure 8).

Figure 8

macOS

First, click on the appropriate profile below to download either the DESY or eduroam WiFi profile. The profiles "DESY" and "eduroam" have to be installed separately. If you want to use both networks, you have to download and install both profiles.


After clicking on the links, a window will open where you can choose between opening the file directly with system preferences or saving it first. The easiest way is to open the file directly pressing "OK" (see figure 1).

Figure 1

In the next step you are asked to confirm, that you want to install the preconfigured WiFi profile containing the (new) security certificate.
If you wish, you can look into the details of the profile at this point by clicking "Show Profile". Otherwise click on "Continue" immediately (see figure 2).
 

Figure 2

After a new window opens (see figure 3), you have to type in your login informations that will be used with the new WiFi profile. The login information is the same for the WiFi networks "DESY" and "eduroam":

  • Username: accountname@desy.de
  • Passwort: Your WiFi Password belonging to the used account


Please replace accountname with the DESY account name you want to use for the connection. To confirm the entered information, click on "Install" afterwards.

Figure 3

If there is a WiFi profile with the same name on your system already, a window (see figure 4) will open warning you, that the current WiFi profile will be overwritten. Click "Install" in this window to finish the installation of the WiFi profile / security certificate.

Figure 4

After the installation has finished successfully, details of the newly installed WiFi profile will be shown as a summary (see figure 5). If you scroll down the window you will also see informations about the certificate. The following information should be shown:

  • Description / Certificate: T-TeleSec GlobalRoot Class 2
  • Expires: 2. Oct 2033 at 01:59

     

Figure 5

Afterwards you should be able to connect to the desired WiFi network using this previously installed WiFi profile.

iPhone / iPad

First, click on the appropriate profile below to download either the DESY or eduroam WiFi profile. The profiles "DESY" and "eduroam" have to be installed separately. If you want to use both networks, you have to download and install both profiles.


After clicking on one of these links, a window will open. Here you have to confirm that you want to load the new WiFi profile (figure 1).

Figure 1

After that the profile is loaded but still has to be installed. Close the message saying the profile is loaded (figure 2) and continue with the next step.

Figure 2

Open the system settings using the app menu (figure 3).
 

Figure 3

In the settings you will find a marked menu item which is waiting for your action. Click on "Finish configuration" (figure 4).

Figure 4

In the newly opened window information about the profile and the (new) security certificate (contained in the profile) is shown up. The details have to match the information on figure 5. Please compare them. Afterwards install the new WiFi profile by clicking "Install" (figure 5).

 

Figure 5

To confirm the process, you have to enter the code which you have set up for your mobile device (figure 6).

Figure 6

Now that you have confirmed the WiFi profile installation, you have to install the security certificate, too. In the new window you will be informed, that the new security certificate (T-Telesec GlobalRoot Class 2) will be added to the list of trusted certificates in your system. Confirm this process by clicking "Install" (figure 7).

Figure 7

The process has to be confirmed again in the next step. Therefore click on "Install" again (figure 8).

Figure 8

In the following two windows (figure 9 and 10) you have to type in your login information which shall be used to setup the new WiFi profile. The login information is the same for both networks "DESY" and "eduroam":

  • Username: accountname@desy.de
  • Passwort: Your WiFi Password belonging to the used account


Please replace accountname with the DESY account name you want to use for the connection. Confirm the entered information by clicking on "Continue" (figure 9).

Figure 9

Afterwards you will be prompted to type in your WiFi password. Enter it into the text field and click on "Continue" (figure 10).

Figure 10

As a last step you can compare the profile informations with the date shown on figure 11 and confirm by clicking on "Finish" (figure 11).

Figure 11

Afterwards you should be able to connect to the WiFi network for which you have just installed the new profile. The new security certificate, which is integrated in the installed profile, will automatically be used on your device for this connection from now on.

Android

Please note, that the terms and menu items in the following manual may differ from the ones on your device, depending on the manufacturer, operating system version and the device itself. Due to this variety, it is unfortunately not possible to provide general instructions for all Android devices.

This manual was created using a Samsung device and is therefore applicable to the DESY standard Samsung devices.

The first step is to download and install the new security certificate T-Telesec Global Root Class 2. To do this, please click on the following link on your mobile device to initiate this process:

(Attention: It is currently not possible to download the certificate with Firefox. Please use a different browser, for example Chrome.)

application/x-x509-ca-cert T-Telesec GlobalRoot Class 2 (967Bytes)
T-Telesec GlobalRoot Class 2

After clicking on the link above, the certificate can be downloaded and installed. Your device will ask you once for your key lock. Then enter a name for the certificate and select Wi-Fi as "Credential Use". (see Figure 1). In the following instruction, the certificate has the name "T-Telesec".

Figure 1

Now open the available Wi-Fi networks and select "eduroam" or "DESY" to connect to the network. (see Figure 2). If you should still have a saved eduroam or DESY profile, you should remove it first. To do this, select the saved profile and press Remove.

Figure 2

Select the previously installed "T-Telesec" certificate as the "CA certificate" (see Figure 3). In addition enter the following data:

  • EAP-Method: TTLS
  • Domain: desy.de
  • Identity: accountname (your DESY account)
  • Password: Wi-Fi password belonging to the used account
     

Please replace accountname with the DESY account name you want to use for the connection. If applicable please already enter the Anonymous Identity and Phase2 Authentication here. Otherwise please first click on "Advanced" (see figure 3), to enter these settings. Confirm the entered information by clicking on "Connect" (see Figure 3).

  • Anonymous identity (For WiFi "eduroam"): eduroam@desy.de
  • Anonymous identity (For WiFi "DESY"): intern@desy.de
  • Phase2 Authentication: MS-CHAP v2
     

Figure 3

Afterwards you should be able to connect to the selected WiFi network successfully using the installed certificate and the used settings by clicking on "Connect".

Linux

Since DESY does not provide laptops with Linux, WiFi support for Linux laptops can only be achieved in a limited way.

Below is a screenshot of the required settings for setting up Ubuntu (or in general Gnome NetworkManager).

The required certificate is usually stored in this location: "/etc/ssl/certs/T-Telesec_GlobalRoot_Class_2.pem"

Otherwise all the settings from the section "manual setup" are still valid.

Information for a manual Setup

A manual setup of the WiFi connections is not always necessary. Therefore, first check whether specific instructions for one of the operating systems listed above can be applied to your device. If the automatic setup of the WiFi profiles with the operating system specific instructions is not possible, please use the following information for a manual setup of your WiFi connections.

Security Certificate

First download the Security Certificate "T-Telesec Global Root Class 2" and install it afterwards. To get this done please use the following link: T-Telesec Global Root Class 2

After clicking on the certificate you will probably be notified that the certificate is already installed. In that case there is nothing else to do for you at this point and you can proceed to setup the WiFi connection using the preferences listed below. Otherwise, after downloading the certificate, you will have the opportunity to install the certificate guided by the operating system and should do so before setting up the WiFi connection.

WiFi Settings

In the following section you can find the needed settings to setup the WiFi networks eduroam and DESY.

eduroam

WiFi Name (SSID): eduroam
Security Type: WPA2-Enterprise / Company-wide WPA2
Authentication Type: TTLS/EAP-MSCHAPv2
Data Encryption: AES
Authentication Protocol: MS-CHAPv2
Domain: desy.de
Anonymous Identity (!): eduroam@desy.de
Username (!!): accountname@desy.de
Password: WiFi Password belonging to the used DESY account


(!) Depending on the operating system used, this field may also be named "external identity" or "roaming identity".

(!!) Depending on the operating system used, this field may also be named "inner identity" or "identity". Please change accountname into the DESY account name with which you want to establish the connection.

 

DESY

WiFi Name (SSID): DESY
Security Type: WPA2-Enterprise / Firmenweiter WPA2
Authentication Type: PEAPv0/EAP-MSCHAPv2
Data Encryption: AES
Authentication Protocol: MS-CHAPv2
Domain: desy.de
Anonymous Identity (!): intern@desy.de
Username (!!): accountname@desy.de
Password: WiFi Password belonging to the used DESY account


(!) Depending on the operating system used, this field may also be named "external identity" or "roaming identity".

(!!) Depending on the operating system used, this field may also be named "inner identity" or "identity". Please change accountname into the DESY account name with which you want to establish the connection.

UCO

Phone: +49 (0)40 8998 5005
E-Mail: UCO
Location: 2b / 131d
Link: https://it.desy.de/services/uco
Opening Hours: Mon - Fri, 08:00h - 16:30h