EAP-TLS Self Signed Certificates: The Dog's Cunt

The basic procedure for setting up a Linux box as a wireless access point is quite straightforward. But if you are trying to set up WPA2 EAP-TLS using self-signed certificates, you are quite likely to encounter a dog's cunt.

There are many, many recipes on the net for generating your own certificates and signing them yourself. Some of them even go so far as to say that you need to install your self-generated root certificate in your machine's list of trusted signing authorities in order to be able to verify the stuff you sign with it. So you do all this but nevertheless find that when you attempt to establish an EAP-TLS connection it fails with an error message bitching about the self-signed certificate. You piss about endlessly ringing the changes on the various options but nothing makes any difference; you look for a different recipe and find that doesn't work either. No matter what you do it seems it won't let you use a self-signed certificate. This is a dog's cunt.

Here, for example, is a recipe for creating a self-signed set of root, server and client certificates:

### Generate a CA: generate CA key "privkey.pem" and CA file "self-signed-ca.pem" $ openssl genrsa 2048 > privkey.pem $ openssl req -key privkey.pem -out self-signed-ca.pem -new -x509 ### Generate server certificate/key pair, no passphrase required $ echo '00' > file.srl $ openssl genrsa -out server.key 2048 $ openssl req -key server.key -new -out server.req $ openssl x509 -req -in server.req -CA self-signed-ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem $ cat server.key server.pem > server-combined.pem $ rm server.key server.pem server.req ### Generate client certificate/key pair, encrypted with passphrase $ openssl genrsa -aes256 -out client.key 2048 $ openssl req -key client.key -new -out client.req $ openssl x509 -req -in client.req -CA self-signed-ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem $ cat client.key client.pem > client-combined.pem $ rm client.key client.pem client.req file.srl ### Install root certificate (Debian/Ubuntu) $ sudo mkdir /usr/share/ca-certificates/extra # may not exist if this is your first time $ sudo cp self-signed-ca.pem /usr/share/ca-certificates/extra/self-signed-ca.crt $ sudo sh -c "echo 'extra/self-signed-ca.crt' >> /etc/ca-certificates.conf" $ sudo update-ca-certificates ### Check $ openssl verify self-signed-ca.pem $ openssl verify server-combined.pem $ openssl verify client-combined.pem


This is why...

The various openssl req commands ask you a whole fuck load of bollocks questions from the answers to which the certificate's Distinguished Name (coo er gosh posh eh?) is generated. It is obvious that none of the answers actually matter for a private self-signed setup, and indeed some recipes point out that you can leave them all blank apart from Common Name (as used by OIKS chiz) which you fill in with something unique. So you fill that one field in with your own name or the name of your network or whatever, and it all seems to work fine until you get to the final step of verifying the certificates and find that the server and client ones fail.

The reason for this is that "unique" in this context does not simply mean "unique to you". It means "unique to the certificate". It's no good calling them all "JoesWirelessNetwork" - as it is natural to do - because that leads you directly into the dog's cunt.

To avoid the dog's cunt, you have to use different names - for example "JoesWirelessNetwork-Root" for the self-signed root CA and "JoesWirelessNetwork-Node" for the client/server certificates/keys.


Well, one fucker tells you this. This document on mysql.com does make it nice and clear right at the beginning. But that is only one of a zillion bleeding recipes for doing this job and if you don't happen to find it in among all the others you'll never bleeding know. No doubt this is why so many people give up and settle for WPA-PSK instead. Maybe the existence of this page will be a little bit of help to people who don't want to give up.

Yeah, maybe it is "obvious". The trouble is that things that are "obvious" usually aren't. It probably is obvious if you do this shit all the time. But the whole point of these recipe guide things is for people who know jack shit about the mechanics of SSL and just want to look up the proper incantations to get their wireless network or SQL server or whatever working without having to spend weeks giving themselves a course in what every dot and comma actually means. And in that case the chances are it's about as obvious as which nucleus in a lump of plutonium is going to be the next one to undergo spontaneous fission.

Of course, having generated the certificates, you then have to install them on all the machines that will need them. Every machine that will be using this network needs self-signed-ca.pem installed in its list of trusted certificates, as described under "Install root certificate" above. The server/AP will need server-combined.pem to be made available to hostapd and the client will need client-combined.pem made available to wpa-supplicant. The hostapd and wpa-supplicant documentation about doing this doesn't contain any dog's cunts, so I won't bother expanding on it here; that side of things is all pretty straightforward.

Back to Pigeon's Nest

Be kind to pigeons

Valid HTML 4.01!