How to view WPA server's certificate?

Matt McCutchen matt at mattmccutchen.net
Wed Nov 26 11:44:41 EST 2008


On Wed, 2008-11-26 at 11:12 -0500, Dan Williams wrote:
> On Wed, 2008-11-26 at 16:32 +0200, Jouni Malinen wrote:
> > On Wed, Nov 26, 2008 at 01:47:26AM -0500, Matt McCutchen wrote:
> > 
> > > I am using wpa_supplicant via NetworkManager to connect to my
> > > university's WPA Enterprise wireless network.  The wireless server
> > > certificate is signed by the ThawtePremiumServerCA, which I configured
> > > as the CA.  I'd like to dump the server certificate to a file so I can
> > > inspect it.  Is there an easy way to do this?  If not, I might code one
> > > up to use myself and to offer to the project.
> > 
> > There is no such feature in wpa_supplicant, but it should be relatively
> > simple thing to add. The server certificate is available in
> > tls_verify_cb() in src/crypto/tls_openssl.c (assuming you are using
> > OpenSSL). wpa_supplicant is now just printing out the subject name of
> > the certification, but you could dump the full certificate (or a
> > fingerprint, etc.) here, too.
> 
> This is something we'd like to do in NetworkManager when the
> functionality becomes available in the supplicant.  I think both Mac OS
> X and Windows do this, but we'll want to also implement a real
> certificate store (like NSS or whatever) first, so that there's one
> single place where this stuff lives.

To be clear, are you proposing a desktop-wide certificate store that
would be used by wpa_supplicant among applications?  This is something I
would love to see in Fedora; I may finally join the Fedora wiki in order
to suggest this as a feature!

Matt



More information about the HostAP mailing list