It’d be extremely expensive if every university would have to pay for a full CA root certificate.
Instead, just having a self-signed one, limited to their own domains and subdomains allows them to use eduroam, or provide their own signed software, or sign certificates for people who want to provide their own software, etc.
Safer, simpler, and cheaper. (Although some unis actually have a CA certificate limited to *.uniname.tld)
The German universities do have such a thing: They fund a network with their own backbone and all, called DFN. This organization does have a full CA root certificate which is signed by the globally trusted Deutsche Telekom CA. The DFN then signs certificates for their members. So in short the German universities operate their own CA. I don't think running this is prohibitively expensive as almost every university is member there.
It’d be extremely expensive if every university would have to pay for a full CA root certificate.
Instead, just having a self-signed one, limited to their own domains and subdomains allows them to use eduroam, or provide their own signed software, or sign certificates for people who want to provide their own software, etc.
Safer, simpler, and cheaper. (Although some unis actually have a CA certificate limited to *.uniname.tld)