Connecting using wpa_supplicant to a WPA EAP-TLS network

Jouni Malinen j
Mon Oct 13 08:35:33 PDT 2008

On Mon, Oct 13, 2008 at 03:41:04PM +0800, Soh Kam Yung wrote:

> 	eap=TLS
> 	identity="user at"
> 	ca_cert="/etc/cert/ca.pem"
> 	client_cert="/etc/cert/user.pem"
> 	private_key="/etc/cert/user.prv"
> 	private_key_passwd="password"

> Are all the parameters (identity, ca_cert, client_cert, private_key,
> private_key_passwd) required?

No. At minimum, you will need to configure a user private key and
certificate (in one of the optional ways) and CA certificate.

> My MIS says that no identity is required.  Does this mean I can leave
> it out or should I configure it as identity=""?

Some supplicants generate the identity string from the certificate, but
if the network is indeed configured to not require any specific
identity, yes, you could set it to "". Though, I would set it to
something like "anonymous" etc. to make it distinct from some
auto-probing software that uses an empty identity string to figure out
what authentication mechanism should be used.

> I exported my client certificate from my Windows Machine (using
> Internet Explorer) at a PKCS#12 file and I am trying to use openssl to
> generate the various certificates.

> How do I use openssl to generate the private_key? Is it:
> openssl pkcs12 -in example.pfx -out user.prv

You don't need to convert the PKCS#12 file; just use it as-is with
wpa_supplicant: private_key="example.pfx" (and private_key_passwd to
set the passphrase if needed). This will make wpa_supplicant read both
the private key and user certificate (i.e., separate client_cert is not

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list