Daniel Dalton wrote:
Incidentally, if the GAVE you the private key your client will be using, rather than you generating it yourself, that's a bit of a security fail :-/ Really, you should be generating a private key and a CSR, sending them the CSR to sign, and getting the cert back from them; i.e. they never know your private key.
Makes sense. I really don't know what the process involves with generating the various keys? I was assuming the tech department would tell me that, but maybe not...?
IME at such sites there is a black box that is "the management server" or whatever, and it has a java web UI that spits out a zip file with a given user's certand key, the cacert, &c. This is an unfortunate (but unsurprising) trade-off of security for convenience (i.e. "can be administered by unskilled labour").
This is what I was using:
network={ ssid="cyber" key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS identity="twb@cyber.com.au" ca_cert="/etc/ssl/certs/cyber.pem" client_cert="/etc/wpa_supplicant/dali.crt" private_key="/etc/wpa_supplicant/dali.pem" }
Ok, so it's just the same thing besides the identity, certs and ssid?
AFAICT that is correct.
The identity corresponds to the email address in the client's cert. That host/... thing looks a little strange.
It does. I suppose I can just try both.
You probably want to use gnutls's certool program (or openssl's ssl program) to inspect the cert and see what X.509 attributes are in it. Then just copy the appropriate one from there.
3. The original "private_key" certificate in the raw instructions I got from the man page was a "prv" file. However, my school says to use the .pem file. Will this work?
PEM refers to the ascii armour encoding of the file. prv is presumably because it's a private key. IIRC wpa_supplicant doesn't care what extensions you use (for any of these files). Other software does care because the programmers were silly.
Fair enough, so ultimately they are the same file type, just different extension?
Yes. PEM is similar to base64 or uuencoding, it just descibes how to asciify binary data. Such files usually have a line at the top saying something like "I'm an RSA key" or "I'm a TLS cert" as well. I don't think that line has any actual effect, it's just there for humans.