EAP-TLS with certificate-chain

Faigl Zoltán zfaigl at mik.bme.hu
Tue Feb 19 08:00:16 EST 2008


Dear Jouni and all!

Thank you for your quick answer.

 >For some reason, the client TLS (OpenSSL?) implementation dd not like
 >the certificate chain from the server. If rootCA.pem includes the
 >self-signed root certificate used in the chain, this should have
 >worked..
 >
 >Are these client/server/CA certificates and client/server private keys
 >for test use only? If yes, could you please send me them so that I can
 >run a test with the same setup myself?


First of all, you can find the certificates and certificate chains, 
cleint and server key files (pwd is ikev2meas) I tried to use until this 
time at:
http://www.mcl.hu/~szlaj/certs.zip

Could you check them for me?

For information on the files: you should read the 
"generate-certificates" and "generate certificate-chains" text files
I have also one or two explicit questions in generate-certificate.txt.

 > You can use PEM, DER, and PKCS12 with wpa_supplicant (assuming you are
 >using OpenSSL for TLS). If you have multiple CA certificates, the
 >easiest mechanism is likely to concatenate them in PEM format into a
 >single file and use that as the ca_cert.

So  as I understand, wpa_supplicant configuraion differs from the 
configuration I used at freeradius, since there, I put the server 
certificate
chain into "server certificate file", in trust order, and I put only the 
rootCA.crt to the "Trusted CAs list" parameter.
Perhaps, wpa-supplicant-like configuration could also work for 
freeradius, and if I now, how exactly wpasupplicant configuration works, 
I will try the same thing with freeradius configuration.

Could you examplify how to configure up a client-side certificate chain, 
for example with my sample certificates, if they seem to be good?

What about the ordering of CA certs in the ca_cert? As I understood this 
will also be a concatenated PEM format file.

 >Same mechanism should work for both FreeRADIUS and wpa_supplicant. As
 >long as each end has full chain from its own certificate to the trusted
 >root (that is shared by both ends), the authentication should work.

So, how can I reach that they find the commonly trusted CA for example if

- server side trusts the following chain: subsubCA1, subCA1, rootCA
- client side trusts the following chain: subsubCA2, subCA2, rootCA
(note: server trusts subsubCA1, client trusts subsubCA2, the common CA 
is rootCA)

BR,
Zoltan


More information about the HostAP mailing list