[PATCH 01/12] hs20-ca: improve setup.sh and .conf for more flexibility.

Jouni Malinen j
Fri Mar 27 23:53:44 PDT 2015

On Fri, Mar 27, 2015 at 11:04:03AM -0700, Ben Greear wrote:
> So, setup.sh is creating (and my example is using) the ca.pem that was meant for the OSU
> for the AAA as well?

For OSEN AAA, not for normal data connection AAA.

> Should setup.sh add a new section to generate an AAA OSEN key for that radius
> server so we can have a more realistic setup?  (I can work on adding this,
> but I would probably need some fairly detailed guidance in order to do it properly.)

It is realistic to use the OSU server certificate and OSU trust root for
OSEN (well, in practice, that is required).

> And maybe for the 'real' AAA server as well?

That would be a new requirement. For most real deployment cases, I'd
expect this to already exist. If you want to use OSU with EST to
provision client certificates, you may want to generate something new
for that purpose, but it is also possible that this would end up using
existing PKI.

> And if so, what would the client use for its osu-ca.pem file?

The real deployment case will use the three CA trust root selected by
WFA. For testing, you'll need to replace (or extend) that with the root
CA generated here.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list