More questions on hs20/OSU keys and configuration.

Ben Greear greearb
Mon Mar 23 17:15:19 PDT 2015

On 03/23/2015 04:14 PM, Ben Greear wrote:
> Now that I have OSEN working, I'm trying to get the rest of the
> configuration cobbled together.
> To keep openssl keys from colliding with their common-names, I'm planning to use
> a similar naming to your examples, for instance:
> Hopefully I can fix up /etc/hosts or a fake local DNS to take care of resolving
> this properly to a single IP address.
> The hs20-osu-server.txt file never mentions actually starting the hs20_osu_server,
> but I assume that does need to be done.  And part of that seems to be configuring
> the DB with some correct URLs and key information.
> So, I need to create a proper sql-example.txt file and I have several questions on it.
> ca/ does not generate spp-root-ca.der nor aaa-root-ca.der.  How are these
> supposed to be created?
> 'osu-server' is also not found in the script.  How
> does this name correlate to what the is using?
> And, same question for the 'subscription-server'?
> Maybe subscription-server and osu-server could both be the same,
> be called 'osu-client.$DOMAIN' and use the 'server-client' keys & certs
> that created?  It seems that apache cannot do HTTPS virtual-hosts,
> or at least not with any flexibility, so if I can do all of the HTTPS
> on the same hostname that is probably best?
> [root at ben-ota-2 hs20]# cat ../local/hs20/sql-example.txt
> INSERT INTO osu_config(realm,field,value) VALUES('','fqdn','');
> INSERT INTO osu_config(realm,field,value) VALUES('','friendly_name','Example Operator');
> INSERT INTO osu_config(realm,field,value) VALUES('','spp_http_auth_url','');
> INSERT INTO osu_config(realm,field,value) VALUES('','trust_root_cert_url','');
> INSERT INTO osu_config(realm,field,value) VALUES('','trust_root_cert_fingerprint','5b393a9246865569485c2605c3304e48212b449367858299beba9384c4cf4647');

And, how are you generating these fingerprints?  When I try creating SH1 or MD5 fingerprints from
the client-server.pem, I get fewer digits.  And the certs HS20-R2 document didn't offer any specifics that I saw.


Ben Greear <greearb at>
Candela Technologies Inc

More information about the Hostap mailing list