Getting started with HS20 r2 (OSU client/server and such?)

Jouni Malinen j
Sat Mar 21 07:28:59 PDT 2015

On Tue, Mar 17, 2015 at 07:37:08PM -0700, Ben Greear wrote:
> OSEN authentication seems to use a 'osu-ca.pem' file,
> but I don't see anything that downloads or creates that.

For normal production use, OSEN requires that the AAA server certificate
is signed by one of the golden trust roots. This pages lists the CA

Some more information is here:

Especially the deployment guidelines can be of interest.

> I do see several other .pem files mentioned in the code.
> Do you know where that osu-ca.pem comes from?

I was assuming the root CAs to be available somewhat on WFA public web
server. However, I'm not sure where.. Anyway, unless you are planning on
acquiring a formal OSU server certificate from one of the CA vendors,
you'll need to use your custom trust root. That's what I'm doing in my
tests, i.e., just copying the root CA certificate in PEM format into the
osu-ca.pem file.

> Also, it seems that 'current-working-directory' is used a
> lot, and there are quite a few other hard-coded values and
> file paths.
> I am planning to work on making those cmd-line args so that
> I have easier control over the application...  That sound
> like a reasonable approach?

For some cases, yes, for others, not really, since the certificate
policy dictates some strings, like the subject name for the root CA
certificates and format for the intermediate CA subject names.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list