EAP-TLS with wpa_supplicant not associating with AP

Jouni Malinen jkmaline
Fri Jan 21 20:27:41 PST 2005

On Thu, Jan 20, 2005 at 02:34:33PM -0600, Jeff Stevens wrote:

> Need help with the WPA SSL certificate problems I've had.  I think my AP 
> handshake might not like my SSL certs, I exported a pfx type file from 
> my WinXP certs (my WinXP works ok, now trying to get Linux to work).

The connection ends pretty early, i.e., immediately after the client
sends out the first packet of TLS handshake. What access point and
authentication server is used in this network? Any chance of getting
debug/event log information from them?

> I had to use openssl to convert from pfx to pem, hoping I did things 
> right...but I can't tell what the AP is complaining about.  Can someone 
> give me a clue?

The current development version of wpa_supplicant can read the private
key and client certificate from a PKCS#12 (PFX) file. However, you will
still need to get the CA certificate out separately.

> I made my WPA EAP-TLS certs for wpa_supplicant this way (export from 
> WinXP with all certs in path and with private key to jeffs.pfx):
>   openssl pkcs12 -in jeffs.pfx -nocerts -nodes -out jeffs.prv
>   openssl pkcs12 -in jeffs.pfx -out jeffs.pem
>   openssl pkcs12 -in jeffs.pfx -out equifax.pem

Based on your other email, the certificates were actually exported with
-cacerts and -clcerts options. Please verify that you have full
certificate chain, e.g., with 'openssl verify -CAfile equifax.pem

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list