Does WPA support multiple CA certs using blob?

Jouni Malinen j
Wed May 6 01:24:24 PDT 2009

On Fri, May 01, 2009 at 11:13:22AM -0400, TianHong Zhao wrote:

> I have a requirement that needs multiple CA certs to be saved in the
> flash as blob(s).
> Does WPA's core ((source files under ~/src in wpa 0.6.8) support this
> mode? I know the config file does not support this, 

I would define wpa_supplicant core differently (I'm assuming you are
talking about supplicant side, not authenticator here).. Anyway, the
configuration structure in core wpa_supplicant can configure an
identifier string for the CA certificate(s) or a path for a directory
that contains multiple certificate files (mainly for OpenSSL). The
common EAP-TLS code is able to convert the blob://<name> notification
into reading a single data block from the configuration.

The actual support for multiple CA certificates depends on the user TLS
library and wrapper code for it, though. In case of using OpenSSL,
tls_openssl.c is able to read single DER encoded certificate from the
certificate blob, one or more certificates from a file with PEM
certificates, or one of more certificates from Windows certificate
store. In addition, it can use ca_path option to point OpenSSL to a
directory with multiple CA certificates.

> If not, can you provide some guidelines about how to make the change in
> the core to support this mode?

Again, this depends on which TLS library you are using. For example,
with OpenSSL, you could extend tls_openssl.c to load multiple blobs in

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list