EAP-TLS with certificate-chain
zfaigl at mik.bme.hu
Tue Feb 19 08:00:16 EST 2008
Dear Jouni and all!
Thank you for your quick answer.
>For some reason, the client TLS (OpenSSL?) implementation dd not like
>the certificate chain from the server. If rootCA.pem includes the
>self-signed root certificate used in the chain, this should have
>Are these client/server/CA certificates and client/server private keys
>for test use only? If yes, could you please send me them so that I can
>run a test with the same setup myself?
First of all, you can find the certificates and certificate chains,
cleint and server key files (pwd is ikev2meas) I tried to use until this
Could you check them for me?
For information on the files: you should read the
"generate-certificates" and "generate certificate-chains" text files
I have also one or two explicit questions in generate-certificate.txt.
> You can use PEM, DER, and PKCS12 with wpa_supplicant (assuming you are
>using OpenSSL for TLS). If you have multiple CA certificates, the
>easiest mechanism is likely to concatenate them in PEM format into a
>single file and use that as the ca_cert.
So as I understand, wpa_supplicant configuraion differs from the
configuration I used at freeradius, since there, I put the server
chain into "server certificate file", in trust order, and I put only the
rootCA.crt to the "Trusted CAs list" parameter.
Perhaps, wpa-supplicant-like configuration could also work for
freeradius, and if I now, how exactly wpasupplicant configuration works,
I will try the same thing with freeradius configuration.
Could you examplify how to configure up a client-side certificate chain,
for example with my sample certificates, if they seem to be good?
What about the ordering of CA certs in the ca_cert? As I understood this
will also be a concatenated PEM format file.
>Same mechanism should work for both FreeRADIUS and wpa_supplicant. As
>long as each end has full chain from its own certificate to the trusted
>root (that is shared by both ends), the authentication should work.
So, how can I reach that they find the commonly trusted CA for example if
- server side trusts the following chain: subsubCA1, subCA1, rootCA
- client side trusts the following chain: subsubCA2, subCA2, rootCA
(note: server trusts subsubCA1, client trusts subsubCA2, the common CA
More information about the HostAP