More questions on hs20/OSU keys and configuration.
j at w1.fi
Wed Mar 25 07:32:16 EDT 2015
On Mon, Mar 23, 2015 at 04:14:05PM -0700, Ben Greear wrote:
> The hs20-osu-server.txt file never mentions actually starting the hs20_osu_server,
> but I assume that does need to be done. And part of that seems to be configuring
> the DB with some correct URLs and key information.
You don't need to start hs20_osu_server; it is executed when needed by
www/spp.php. You do need to create the DB, though.
> So, I need to create a proper sql-example.txt file and I have several questions on it.
> ca/setup.sh does not generate spp-root-ca.der nor aaa-root-ca.der. How are these
> supposed to be created?
spp-root-ca.der would be DER encoded version of rootCA/cacert.pem.
aaa-root-ca.der would be the trust root you are planning on using on the
main AAA server (e.g., for EAP-TLS or EAP-TTLS authentication for normal
data connection). ca/setup.sh is not involved in setting up that part.
> 'osu-server' is also not found in the setup.sh script. How
> does this name correlate to what the setup.sh is using?
ca/server.pem from setup.sh is used on the HTTPS server that acts as the
OSU server (i.e., that https://osu-server... URL).
> And, same question for the 'subscription-server'?
In theory, subscription server could use a different server certificate,
but I'm using the same one for both OSU and subscription servers (and
policy server for that matter).
> Maybe subscription-server and osu-server could both be the same,
> be called 'osu-client.$DOMAIN' and use the 'server-client' keys & certs
> that setup.sh created? It seems that apache cannot do HTTPS virtual-hosts,
> or at least not with any flexibility, so if I can do all of the HTTPS
> on the same hostname that is probably best?
You can use the same server certificate for all these logical servers.
That comment about Apache may be a bit misleading, though.. You can have
different server certificates on different TCP ports which is what I'm
normally doing for negative test cases or when wanting to test more than
a single set of server certificates.
Jouni Malinen PGP id EFC895FA
More information about the HostAP