wpa_supplicant : problem with 2 certification authorities

Bryan Kadzban bryan at kadzban.is-a-geek.net
Thu Jan 12 07:07:57 EST 2006

Vincent Nainemoutou wrote:
> My clients and server certificates are devivered by an intermediate
> CA.

This setup works for me at work...  we have a root CA (self-signed),
which has also signed one subordinate CA.  That subordinate CA issues
certs to all our client machines, including the RADIUS server.  (We're
running IAS instead of FreeRADIUS, but that's only because we have a
Windows domain, so we already had IAS there.)

>      I tried several thing like: 
>     -> 2 ca_cert parameters in the wpa_supplicant files ,
>     -> Single file with both CA certificates inside and on ca_cert
> parameter.

I'm not really surprised that either of those didn't work.  Have you
tried putting just the root CA cert into the ca_cert parameter?

You shouldn't need both -- or at least, we don't need both.  I believe
the RADIUS server is supposed to send its entire cert chain (all the way
back to the root cert) during the TLS handshake, and OpenSSL verifies
the root cert against what wpa_supplicant tells it to verify against
(that is, the contents of the ca_cert file or blob).

You don't by chance have a subject_match or altsubject_match set up, do
you?  If so, does it help to remove them?  (When a Windows box requests
a cert from a Windows CA, the subjectName and altSubjectName (or
whatever x.509 fields they are) come back with their CN= value in UCS-2,
not ASCII.  If you're trying to match a machine name in ASCII against a
UCS-2 field value, it won't match.  It doesn't sound like this is your
issue, but it might be.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060112/30e1e4bb/attachment.pgp 

More information about the HostAP mailing list