WPA2 with 802.1X ("Enterprise") is what you want to use to encrypt your WiFi when you have lots of users and thanks to the formidable Eduroam initiative most universities I visit (as well as my home university) now provide such a service.
When I'm on the road, I almost always take my Kindle with me. So I was very happy to find that the Kindle Paperwhite supports WPA2 Enterprise. Sending logins over external networks of course calls for certificate verification. To my great surprise the Kindle manual does not specify how this is done and Amazon support - after consulting with their tech guys - told me to copy the file to the folder Cert and specify its name in the wifi settings. They were a loss when that did not work for me.
The internet wasn't helpful either. Universities simply suggested to leave the CA certificate field empty and forum posts were outdated, so I was left to guesswork.
Fortunately I found some settings that appear to work well so I though I should share them: First, convert your certificate to the PEM format. If you have a certificate in DER format, simply use openssl to convert:
openssl x509 -in input.der -inform DER –out output.crt -outform PEM
Using a USB connection create the folder certs (not: cert!) in the root directory of your kindle and copy the certificate there. The file must end on .crt, files with other names such as *.pem won't be detected. Then, go to Settings > Wi-Fi Networks > Other > Advanced and refer to the screenshot or the following table for the correct settings. The name of the certificate goes into "CA certificate" (without path).