I want to connect a Linux machine to WPA2 Enterprise Wi-Fi (that I manage). The certificates I created with OpenSSL work well with Android and iOS devices, but I can't figure out what types of certificates are expected by wpa_supplicant.
Basically, I have a ca.pem, and, for a given device, the following files are being generated:
- demo.crt
- demo.csr
- demo.key
- demo.p12
It looks like wpa_supplicant can work with either a file containing both the public and the private certificate, as well as two files. Originally, I was using two files:
- demo.key
- demo.pem, created by running
openssl pkcs12 -in demo.p12 -out demo.pem -clcerts.
wpa_supplicant.conf was configured like this:
network={ ssid="HelloWorld" key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS identity="[email protected]" ca_cert="/etc/ssl/private/ca.pem" client_cert="/etc/ssl/private/demo.pem" private_key="/etc/ssl/private/demo.key" private_key_passwd=... } The authentication fails with the following error:
OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
If I remove client_cert and use only private_key, pointing to the .pem file, the error is still the same.
If I point it to .p12, the error is:
OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0)
Debian's documentation tells that the PEM should be created from a .pfx. When I do that:
openssl pkcs12 -export -out demo.pfx -inkey demo.key -in demo.crt -certfile ca.crt openssl pkcs12 -in demo.pfx -out demo.pem -clcerts the original error is back:
OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
How exactly should I generate the certificates for wpa_supplicant?
