Connecting using wpa_supplicant to a WPA EAP-TLS network
Jouni Malinen
j at w1.fi
Mon Oct 13 11:35:33 EDT 2008
On Mon, Oct 13, 2008 at 03:41:04PM +0800, Soh Kam Yung wrote:
> eap=TLS
> identity="user at example.com"
> ca_cert="/etc/cert/ca.pem"
> client_cert="/etc/cert/user.pem"
> private_key="/etc/cert/user.prv"
> private_key_passwd="password"
> Are all the parameters (identity, ca_cert, client_cert, private_key,
> private_key_passwd) required?
No. At minimum, you will need to configure a user private key and
certificate (in one of the optional ways) and CA certificate.
> My MIS says that no identity is required. Does this mean I can leave
> it out or should I configure it as identity=""?
Some supplicants generate the identity string from the certificate, but
if the network is indeed configured to not require any specific
identity, yes, you could set it to "". Though, I would set it to
something like "anonymous" etc. to make it distinct from some
auto-probing software that uses an empty identity string to figure out
what authentication mechanism should be used.
> I exported my client certificate from my Windows Machine (using
> Internet Explorer) at a PKCS#12 file and I am trying to use openssl to
> generate the various certificates.
> How do I use openssl to generate the private_key? Is it:
> openssl pkcs12 -in example.pfx -out user.prv
You don't need to convert the PKCS#12 file; just use it as-is with
wpa_supplicant: private_key="example.pfx" (and private_key_passwd to
set the passphrase if needed). This will make wpa_supplicant read both
the private key and user certificate (i.e., separate client_cert is not
needed).
--
Jouni Malinen PGP id EFC895FA
More information about the HostAP
mailing list