Problem using ca_path to connect to a EAP-TLS network

Soh Kam Yung sohkamyung at gmail.com
Tue Dec 9 20:25:25 EST 2008


On Wed, Dec 10, 2008 at 12:56 AM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Dec 09, 2008 at 04:18:10PM +0800, Soh Kam Yung wrote:
>> I'm encountering problems connecting to a EAP-TLS network using
>> ca_path in my configuration (instead of ca_cert).
>
>> ca_path = "/usr/local/certs"
>>
>> I start seeing the following error in the wpa_supplicant debug output:
>>
>> TLS: Certificate verification failed, error 20 (unable to get local
>> issuer certificate) depth 1 for '[deleted]'
>>
>> Am I using ca_path correctly?
>
> Does the directory that you point to include certificate hash files
> (symlink from a filename with the hash to the actual certificate)?
> OpenSSL requires that to find the certificates when using ca_path.
>
> --
> Jouni Malinen                                            PGP id EFC895FA

Jouni,

Err...no. <scratches head>  I have no idea how to hash the certificate file.

My apologies, but I'm new to the world of WPA-Enterprise/OpenSSL and
not that familiar with setting up the information required for
wpa_supplicant and OpenSSL to recognised server certificates.

I have also tried to export the root certificate from my Windows
machine for the EAP-TLS network, which was in DER format.  I converted
this to PEM using openssl:

>  openssl x509 -inform DER -outform PEM -in test_root.cer -out test_root.pem

Is the test_root.pem file good enough, or must I generate other stuff?

Regards,
Kam-Yung
-- 
Soh Kam Yung
my Google Reader Shared links:
(http://www.google.com/reader/shared/16851815156817689753)
my Google Reader Shared SFAS links:
(http://www.google.com/reader/shared/user/16851815156817689753/label/sfas)


More information about the HostAP mailing list