1526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and 2526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# openCryptoki (e.g., with TPM token) 3526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt 4526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# This example uses following PKCS#11 objects: 5526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so -O -l 6526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Please enter User PIN: 7526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Private Key Object; RSA 8526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# label: rsakey 9526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# ID: 04 10526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Usage: decrypt, sign, unwrap 11526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Certificate Object, type = X.509 cert 12526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# label: ca 13526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# ID: 01 14526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Certificate Object, type = X.509 cert 15526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# label: cert 16526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# ID: 04 17526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt 18526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module 19526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidtpkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so 20526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidtpkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so 21526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt 22526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidtnetwork={ 23526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt ssid="test network" 24526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt key_mgmt=WPA-EAP 25526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt eap=TLS 26526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt identity="User" 27526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt 28526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt # use OpenSSL PKCS#11 engine for this network 29526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt engine=1 30526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt engine_id="pkcs11" 31526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt 32526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt # select the private key and certificates based on ID (see pkcs11-tool 33526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt # output above) 34526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt key_id="4" 35526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt cert_id="4" 36526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt ca_cert_id="1" 37526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt 38526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt # set the PIN code; leave this out to configure the PIN to be requested 39526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt # interactively when needed (e.g., via wpa_gui or wpa_cli) 40526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt pin="123456" 41526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt} 42