A method is provided for authenticating an identity of an operator (10) of an access point (AP) (52) of a wireless local area network (WLAN) (50) to a client (40) seeking a connection with the AP (52). The method includes: registering the identity of the operator (10) of the AP (52) with a trusted certificate authority (CA) (20), the registering including providing the CA (20) with (i) identification information identifying the operator (10) and (ii) a public key (12) of the operator (10); creating an authentication certificate (30) including the operator's identification information and the operator's public key (12); signing the certificate (30) with a private key (28) of the CA (20); provisioning the AP (52) with the certificate (30) that was signed with the private key (28) of the CA (20); provisioning the client (40) with a public key (24) of the CA (20), the CA's public key (24) being a corresponding counterpart to the CA's private key (28); sending a certificate request from the client (40) to the AP (52); generating a signature with a private key (14) of the operator (10), the operator's private key (14) being a corresponding counterpart for the operator's public key (12); returning a certificate reply from the AP (52) to the client (40) in response to the request, the reply including the certificate (30) with which the AP (52) was provisioned signed by the AP (52) with the generated signature; using the CA's public key (24) with which the client was provisioned to obtain the operator's public key (12) from the certificate (30) received in the reply; and, using the operator's public key (12) obtained from the certificate (30) received in the reply to verify the signature generated with the operator's private key (14) and used by the AP (52) to sign the certificate (30) received in the reply.