[PATCH 01/12] hs20-ca: improve setup.sh and .conf for more flexibility.

Ben Greear greearb
Sat Mar 28 09:12:48 PDT 2015



On 03/27/2015 11:53 PM, Jouni Malinen wrote:
> On Fri, Mar 27, 2015 at 11:04:03AM -0700, Ben Greear wrote:
>> So, setup.sh is creating (and my example is using) the ca.pem that was meant for the OSU
>> for the AAA as well?
>
> For OSEN AAA, not for normal data connection AAA.
>
>> Should setup.sh add a new section to generate an AAA OSEN key for that radius
>> server so we can have a more realistic setup?  (I can work on adding this,
>> but I would probably need some fairly detailed guidance in order to do it properly.)
>
> It is realistic to use the OSU server certificate and OSU trust root for
> OSEN (well, in practice, that is required).
>
>> And maybe for the 'real' AAA server as well?
>
> That would be a new requirement. For most real deployment cases, I'd
> expect this to already exist. If you want to use OSU with EST to
> provision client certificates, you may want to generate something new
> for that purpose, but it is also possible that this would end up using
> existing PKI.

I think it would be nice to have a complete working and self-contained example, and if it is
more proper to use a unique key for the production AAA, then it should not
be too hard for us to auto-generate those keys/certs in setup.sh and
document how to use those new keys for the 'real' AAA hostapd-radius config
file?

>
>> And if so, what would the client use for its osu-ca.pem file?
>
> The real deployment case will use the three CA trust root selected by
> WFA. For testing, you'll need to replace (or extend) that with the root
> CA generated here.

Right, but I'm mainly interested in providing an easy way to make a fairly
realistic setup for testing purposes.  So, once the 'setup.sh' has been run,
then what key(s) need to be transferred to the station device in order to allow
it to work with the setup we just generated.  In my example, it seems to be
that only the ca.pem that setup.sh generates is needed.

Thanks,
Ben

-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the Hostap mailing list