wpa_supplicant : problem with 2 certification authorities

Vincent Nainemoutou Vincent.Nainemoutou at xrce.xerox.com
Fri Feb 10 10:30:54 EST 2006 

Thanks Bryan for your help.
I should have paid more attention as the problem was related to the CA
certificate, and possibly to the combination of the software used.

You cannot specify several CA certificate if your certificate has been
delivered by a subordinate CA .
I tried to specify both certificate with a pkcs7 file but it is not
accepted.

It is working with a pem file listing both certificates. Each cert has
its own BEGIN.. END section.
In addition, The certs are generated by a Windows PKI, and the file
contains line with Subject and Issuer information.

--Vincent



Vincent Nainemoutou wrote:
>/ My clients and server certificates are devivered by an intermediate
/>/ CA.
/
This setup works for me at work...  we have a root CA (self-signed),
which has also signed one subordinate CA.  That subordinate CA issues
certs to all our client machines, including the RADIUS server.  (We're
running IAS instead of FreeRADIUS, but that's only because we have a
Windows domain, so we already had IAS there.)

>/      I tried several thing like: 
/>/     -> 2 ca_cert parameters in the wpa_supplicant files ,
/>/     -> Single file with both CA certificates inside and on ca_cert
/>/ parameter.
/
I'm not really surprised that either of those didn't work.  Have you
tried putting just the root CA cert into the ca_cert parameter?

You shouldn't need both -- or at least, we don't need both.  I believe
the RADIUS server is supposed to send its entire cert chain (all the way
back to the root cert) during the TLS handshake, and OpenSSL verifies
the root cert against what wpa_supplicant tells it to verify against
(that is, the contents of the ca_cert file or blob).

You don't by chance have a subject_match or altsubject_match set up, do
you?  If so, does it help to remove them?  (When a Windows box requests
a cert from a Windows CA, the subjectName and altSubjectName (or
whatever x.509 fields they are) come back with their CN= value in UCS-2,
not ASCII.  If you're trying to match a machine name in ASCII against a
UCS-2 field value, it won't match.  It doesn't sound like this is your
issue, but it might be.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060112/30e1e4bb/attachment.pgp

More information about the HostAP mailing list