Configure iwd to connect to eduroam

Summary

This guide shows how to connect to eduroam on Linux using iwd and targets profiles created with easyroam. Tested with Arch Linux, but this should work with other distros as well, as long as no network manager is active which will handle the wireless interface.

This requires the following steps:

• Generate and download the profile
• Extract the certificates and key from the profile
• Create an iwd configuration based on the extracted data

Background Information

• iwd - ArchWiki
• easyroam config
• eduroam overview

Steps

Profile Generation

Get the profile from easyroam by selecting "Linux. Manual setup for Linux devices". When creating the profile, you are asked to provide a name, the following steps assume this to be easyroam_profile. You will then get a PKCS12 file called easyroam_profile.p12.

Extract Data

The documentation shows a script to extract and store the data. This requires root privileges to store the data in /etc/. In our current step, we are only interested to extract the data, for this the following commands are sufficient:

openssl pkcs12 -in easyroam_profile.p12 -legacy -nokeys -nodes \
  -passin pass: -clcerts -out client_cert.pem
openssl pkcs12 -in easyroam_profile.p12 -legacy -nokeys -nodes \
  -passin pass: -cacerts -out ca_cert.pem
openssl pkcs12 -in easyroam_profile.p12 -legacy -nocerts \
  -passin pass: -passout pass:pkcs12 -out client_key.pem

Those commands create three files, client_cert.pem, ca_cert.pem and client_key.pem. An empty password is used to access the data, and the key file client_key.pem is protected with the password pkcs12.

Tested with OpenSSL 3.6.1 27 Jan 2026 (Library: OpenSSL 3.6.1 27 Jan 2026).

Configure iwd

With the files from the previous step we can create the configuration file /var/lib/iwd/eduroam.8021x which will contain all the required data embedded into it, no other files are necessary. The configuration file must be placed in /var/lib/iwd/ with proper permissions. Since this directory is only writable by root, you'll need to use sudo.

For the field EAP-Identity we use the attribute CN we find in the output of openssl x509 -noout -in client_cert.pem -subject. The content of the file should look like this:

[Security]
EAP-Method=TLS
EAP-Identity=xxxxxxxxxxxxxxxxxxx@easyroam-pca.hm.edu
EAP-TLS-ClientCert=embed:client_cert
EAP-TLS-ClientKey=embed:client_key
EAP-TLS-ClientKeyPassphrase=pkcs12
EAP-TLS-CACert=embed:ca_cert

[Settings]
AutoConnect=true

[@pem@client_cert]
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

[@pem@ca_cert]
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

[@pem@client_key]
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----

Between the BEGIN and END lines should be the respective content of the files from the previous step.

Now iwd should be able to automatically connect to eduroam.

Conclusion

The guide shows the required steps to extract the certificates and the key from an easyroam profile to connect to eduroam. By using iwd and the option to embed the certificates and the key directly into the configuration file, all necessary data is stored in one location.