Problem using ca_path to connect to a EAP-TLS network

Soh Kam Yung sohkamyung
Thu Dec 11 22:45:44 PST 2008

On Wed, Dec 10, 2008 at 12:56 AM, Jouni Malinen <j at> wrote:
> On Tue, Dec 09, 2008 at 04:18:10PM +0800, Soh Kam Yung wrote:
>> I'm encountering problems connecting to a EAP-TLS network using
>> ca_path in my configuration (instead of ca_cert).
>> ca_path = "/usr/local/certs"
>> I start seeing the following error in the wpa_supplicant debug output:
>> TLS: Certificate verification failed, error 20 (unable to get local
>> issuer certificate) depth 1 for '[deleted]'
>> Am I using ca_path correctly?
> Does the directory that you point to include certificate hash files
> (symlink from a filename with the hash to the actual certificate)?
> OpenSSL requires that to find the certificates when using ca_path.
> --
> Jouni Malinen                                            PGP id EFC895FA


I looked at some OpenSSL documentation.  Just be certain, when you
mention hashes, do you mean the hashes as mention in the OpenSSL
verify command?

The usage looks similar to the ca_path/ca_cert options as used in
wpa_supplicant, only 'better' documented... ;-)



verify - Utility to verify certificates.


openssl verify [-CApath directory] [-CAfile file] [-purpose purpose]
[-untrusted file] [-help] [-issuer_checks] [-verbose] [-]


The verify command verifies certificate chains.


-CApath directory

    A directory of trusted certificates. The certificates should have
names of the form: hash.0 or have symbolic links to them of this form
(``hash'' is the hashed certificate subject name: see the -hash option
of the x509 utility). Under Unix the c_rehash script will
automatically create symbolic links to a directory of certificates.

-CAfile file

    A file of trusted certificates. The file should contain multiple
certificates in PEM format concatenated together.
Soh Kam Yung
my Google Reader Shared links:
my Google Reader Shared SFAS links:

More information about the Hostap mailing list