When I tried to connect to my University's Wi-Fi for the first time, it asked me to accept a (probably self-signed) certificate.
Luckily they published the fingerprint so I was sure it is safe to accept.
The Wi-Fi then asked for a username and password.
Question:
What is this certificate used for? Does it have something to do with WPA2 Enterprise?
But why does it need a certificate? I mean my home Wi-Fi works fine without a certificate (PSK).
Sorry, ignore my earlier comments, I somewhat misread your question at first.
The eduroam network is asking you to accept their certificate so that your device can then use the public key linked to the certificate to make sure the server is who they claim they are and securely submit your login credentials for the network. So yes, this has to do with the 'Enterprise' in WPA Enterprise, as the 'Personal' (PSK) mode of WPA does not allow you to control network access on a per-user basis.
To expand a bit on that: In WPA, communications are symmetrically encrypted using a key that is generated in a so called four-way handshake from a pre-shared secret, random values that change for each session and some access point specific information. If you're interested in the details of the handshake, here is a great stackexchange answer that explains them. The difference between personal and enterprise mode lies in what the pre-shared secret is. In personal mode, the secret is a predetermined passphrase (between 8 and 63 characters in length, I believe). Users implicitly 'authenticate' themselves through their knowledge of the passphrase which is obviously less secure than forcing them to actually prove they are a certain someone who was authorised to use the network. An additional problem is that users can eavesdrop on each others' conversations if they record someone else's handshake at the beginning of their session.
The enterprise mode on the other hand allows for a multitude of authentication methods that are handled by a so called RADIUS server. In your case, the eduroam network seems to use either the EAP-TTLS or PEAP method, both of which rely on a X.509 certificate to authenticate the server and establish a secure TLS tunnel to submit the user login credentials. The following is taken from the FAQ section of the eduroam network's website (emphasis mine) :
IIn eduroam, communication between the access point and the user's home institution is based on IEEE 802.1X standard; 802.1X encompasses the use of EAP, the Extensible Authentication Protocol, which allows for different authentication methods. Depending on the type of EAP method used, either a secure tunnel will be established from the user’s computer to his home institution through which the actual authentication information (username/password etc.) will be carried (EAP-TTLS or PEAP), or mutual authentication by public X.509 certificates, which is not vulnerable to eavesdropping, will be used (EAP-TLS).
As you can see, alternative authentication methods could also include the use of client-side certificates for user authentication.
Now to come back to your question, the purpose of the server-side certificate here is to prevent someone else from posing as the access point and stealing your login credentials.
