Hostapd 2.9 support for configuring 2 server certificates

Hello Users hellousers1987 at gmail.com
Sat Oct 16 21:19:53 PDT 2021 

Thanks Jouni for your reply.

>How did you try to configure this? Did you follow the example and
documentation shown in hostapd/hostapd.conf for
server_cert2/private_key2/private_key_passwd2?

Yes, as per the documentation in hostapd.conf, I configured it as
below. ca_cert is having the certificate authority for both of these
certificates
ca_cert=/tmp/certs/ca-chain.cert.pem
server_cert=/tmp/certs/radiussrv.cert.pem
private_key=/tmp/certs/radiussrv.key.pem
private_key2=/tmp/tstserver.p12
private_key_passwd2=gwvajjjkgnap

With debug prints, we usually get the configured certificate dump
after hostapd initialization in hostapd:tls_global_set_params(). So
there it dumps only the 2nd certificate .i.e. 1st certificate is
always overwritten. I was able to connect with both of these
certificates if it is configured individually. Issue happens when 2
certificates are configured at a time.
So is it really possible for configuring 2 certificates at server side
so that based on client capability it connects with appropriate
certificates ?


>Please also note the comment about the number of deployed station/supplicant
implementations having interoperability issues with this capability.

So does that mean we should not go for this option ?

Thanks and regards.

On Sat, Oct 16, 2021 at 2:25 AM Jouni Malinen <j at w1.fi> wrote:
>
> On Mon, Oct 11, 2021 at 06:10:11PM +0530, Hello Users wrote:
> > Please help me in understanding the below feature.
> > As per hostapd 2.9 change logs, it mentions support to configure 2
> > server certificates/keys(RSA/ECC). But when I tried to configure, it
> > only took/connected with the 2nd configured certificate. The 1st
> > configured certificate is always overwritten. What needs to be done
> > here to get the client connected with either of the certificates?
>
> How did you try to configure this? Did you follow the example and
> documentation shown in hostapd/hostapd.conf for
> server_cert2/private_key2/private_key_passwd2?
>
> Please also note the comment about number of deployed station/supplicant
> implementations having interoperability issues with this capability.
>
> --
> Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list