[PATCH 01/12] hs20-ca: improve setup.sh and .conf for more flexibility.

Jouni Malinen j
Sun Mar 29 00:12:09 PDT 2015

On Sat, Mar 28, 2015 at 09:12:48AM -0700, Ben Greear wrote:
> I think it would be nice to have a complete working and self-contained example, and if it is
> more proper to use a unique key for the production AAA, then it should not
> be too hard for us to auto-generate those keys/certs in setup.sh and
> document how to use those new keys for the 'real' AAA hostapd-radius config
> file?

I have nothing against adding yet another independent CA to be generated
by the script for this purpose. Ideally that would be done with EST
setup in mind (see the openssl commands issued in www/est.php).

> Right, but I'm mainly interested in providing an easy way to make a fairly
> realistic setup for testing purposes.  So, once the 'setup.sh' has been run,
> then what key(s) need to be transferred to the station device in order to allow
> it to work with the setup we just generated.  In my example, it seems to be
> that only the ca.pem that setup.sh generates is needed.

Only the new OSU trust root is needed, i.e., all the other certificates
are provided as part of the actual operations involving OSU.
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list