More questions on hs20/OSU keys and configuration.
Mon Mar 23 17:15:19 PDT 2015
On 03/23/2015 04:14 PM, Ben Greear wrote:
> Now that I have OSEN working, I'm trying to get the rest of the
> configuration cobbled together.
> To keep openssl keys from colliding with their common-names, I'm planning to use
> a similar naming to your examples, for instance: osu-client.foo.local
> Hopefully I can fix up /etc/hosts or a fake local DNS to take care of resolving
> this properly to a single IP address.
> The hs20-osu-server.txt file never mentions actually starting the hs20_osu_server,
> but I assume that does need to be done. And part of that seems to be configuring
> the DB with some correct URLs and key information.
> So, I need to create a proper sql-example.txt file and I have several questions on it.
> ca/setup.sh does not generate spp-root-ca.der nor aaa-root-ca.der. How are these
> supposed to be created?
> 'osu-server' is also not found in the setup.sh script. How
> does this name correlate to what the setup.sh is using?
> And, same question for the 'subscription-server'?
> Maybe subscription-server and osu-server could both be the same,
> be called 'osu-client.$DOMAIN' and use the 'server-client' keys & certs
> that setup.sh created? It seems that apache cannot do HTTPS virtual-hosts,
> or at least not with any flexibility, so if I can do all of the HTTPS
> on the same hostname that is probably best?
> [root at ben-ota-2 hs20]# cat ../local/hs20/sql-example.txt
> INSERT INTO osu_config(realm,field,value) VALUES('example.com','fqdn','example.com');
> INSERT INTO osu_config(realm,field,value) VALUES('example.com','friendly_name','Example Operator');
> INSERT INTO osu_config(realm,field,value) VALUES('example.com','spp_http_auth_url','https://subscription-server.osu.example.com/hs20/spp.php?realm=example.com');
> INSERT INTO osu_config(realm,field,value) VALUES('example.com','trust_root_cert_url','https://osu-server.osu.example.com/hs20/files/spp-root-ca.der');
> INSERT INTO osu_config(realm,field,value) VALUES('example.com','trust_root_cert_fingerprint','5b393a9246865569485c2605c3304e48212b449367858299beba9384c4cf4647');
And, how are you generating these fingerprints? When I try creating SH1 or MD5 fingerprints from
the client-server.pem, I get fewer digits. And the certs HS20-R2 document didn't offer any specifics that I saw.
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc http://www.candelatech.com
More information about the Hostap