MulteFire Online Sign-Up (OSU)
Server Certificate FAQs

In addition to the normal LTE authentication mechanisms, MulteFire base stations (hot spots) can grant access to users via an optional OSU system. This allows secure access to the MulteFire hotpot by providing a user-name and password. MFA uses the same system as the Wi-Fi Alliance’s Hotspot system. The security and protocols are defined in its Hotspot 2.0 specification.

Systems that offer an OSU must have a MulteFire OSU Server Certificate, signed by a MulteFire Trust Root Certificate. The server certificate allows the user device to establish trust with the OSU service, and prevents malicious actors from creating fake MulteFire hotspots. The server certificate itself is an x509v3 digital certificate.

The MulteFire Certification Authority is tasked with administering the processes of the MulteFire Certification Program. This includes the processes associated with MulteFire OSU Server Certificates. The Certification Authority works for MFA, and not for any member company.
MFA has contracted with a digital certificate systems provider to host our MulteFire Trust Root Certificate Authority. The MulteFire Certificate Authority is the system (the collection of hardware, software and the people who operate it) that signs MulteFire OSU Server Certificates. Currently, MFA has one trust root, hosted by Comarch.

This MulteFire Trust Root Certificate is the certificate that is used to sign MulteFire OSU Server Certificates. It is hosted by our MulteFire Trust Root Certificate Authority – Comarch. The MulteFire Trust Root Certificate can be added, moved or removed in the future. The public key associated with this certificate is made available to MulteFire device makers to validate MulteFire OSU Server Certificates.

No. Any company that is developing a MulteFire OSU Server Service can request a MulteFire OSU Server Certificate. The company is required to provide certain information, designate an official point of contact (their Authorized Security Representative), and configure the digital certificate as defined in the WiFi Hotspot specifications. Additionally, the company must sign the MulteFire OSU Server Security Agreement before MFA can approve the request.

This is a legal document that commits your company to take certain precautions and implement certain features in the MulteFire OSU Server Service, including securing the private key associated with the certificate, reporting any security issues and taking corrective actions in case problems are discovered.

Yes. If a security problem, such as a leaked private key, is discovered, or the holder of the certificate does not comply with the MulteFire OSU Server Security Agreement, their certificate may be revoked. The MulteFire OSU Server service will periodically check in with the MulteFire Trust Root Certificate Authority to confirm that the certificate in use is still valid.

The ASR is an individual who has been designated as the primary point of contact for matters related to MulteFire certificates. Only the ASR can request that certificates be signed by the MulteFire Trust Root. To become an ASR, fill out the following form.

MFA provides a set of “test” certificates to use when developing systems. MulteFire user equipment will typically reject the connection or otherwise indicate that the connection is insecure but will be able to test that it’s working. MFA also provides a certificate that will expire after a few months to enable real-world tests.

If you have additional questions, fill out the form here.