More questions on hs20/OSU keys and configuration.

Jouni Malinen j
Wed Mar 25 04:32:16 PDT 2015

On Mon, Mar 23, 2015 at 04:14:05PM -0700, Ben Greear wrote:
> The hs20-osu-server.txt file never mentions actually starting the hs20_osu_server,
> but I assume that does need to be done.  And part of that seems to be configuring
> the DB with some correct URLs and key information.

You don't need to start hs20_osu_server; it is executed when needed by
www/spp.php. You do need to create the DB, though.

> So, I need to create a proper sql-example.txt file and I have several questions on it.
> ca/ does not generate spp-root-ca.der nor aaa-root-ca.der.  How are these
> supposed to be created?

spp-root-ca.der would be DER encoded version of rootCA/cacert.pem.
aaa-root-ca.der would be the trust root you are planning on using on the
main AAA server (e.g., for EAP-TLS or EAP-TTLS authentication for normal
data connection). ca/ is not involved in setting up that part.

> 'osu-server' is also not found in the script.  How
> does this name correlate to what the is using?

ca/server.pem from is used on the HTTPS server that acts as the
OSU server (i.e., that https://osu-server... URL).

> And, same question for the 'subscription-server'?

In theory, subscription server could use a different server certificate,
but I'm using the same one for both OSU and subscription servers (and
policy server for that matter).

> Maybe subscription-server and osu-server could both be the same,
> be called 'osu-client.$DOMAIN' and use the 'server-client' keys & certs
> that created?  It seems that apache cannot do HTTPS virtual-hosts,
> or at least not with any flexibility, so if I can do all of the HTTPS
> on the same hostname that is probably best?

You can use the same server certificate for all these logical servers.
That comment about Apache may be a bit misleading, though.. You can have
different server certificates on different TCP ports which is what I'm
normally doing for negative test cases or when wanting to test more than
a single set of server certificates.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list