Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Virginia Tech Wifi

9 bytes removed, 21:11, 2 February 2015
m
Certificate pinning: Clean up the language a bit
Many network managers for Linux/UNIX use wpa_supplicant as their underlying IEEE 802.1x/WPA Supplicant and generate a configuration file on the fly. As a result many network managers have similar configuration formats. In this section we will walk through generating a certificate pin for the Certificate used to authenticate the VT RADIUS servers in eduroam.
wpa_supplicant offers multiple mechanisms for certificate management. The ca_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name. Where possible, in our configurations we opted for a much stronger level of validation by specifing the hash of the certificate that we expect to see.
In our configuration we opted for a much stronger level of validation where in we specify order to generate the certificate hash of , download the certificate that we expect to see. When using this method of certificate validation, you specify by clicking the "Download" link on the ca_cert parameter as hash[https://serverash.eprov.seti.vt.edu/sha256EJBCAWebRequest/<sha256 hash of DER encoded certificate>.certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] (Unfortunately this site is only available to Virginia Tech IPs)
In order to generate the sha256 hash of the DER encoded certificate, download Validate that the certificate downloaded is in fact signed by clicking the "Download" link on the (Obsolete) [https://ashsecure.hosting.vt.eprovedu/www.setipki.vt.edu/EJBCAWebRequestdeveloper/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] Validate that the certificate downloaded is in fact signed by the rootca.html#globalserver Virginia Tech Certificate Authority:Global Server CA] chain.
(TODO)
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS rotates the certificates being used, the configuration will need to be updated to match the new certificate.
 
====A word of caution====
Anonymous user