Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Virginia Tech Wifi

543 bytes removed, 21:14, 2 February 2015
Certificate pinning: Clean up the language
====Certificate pinning====
Many network managers Where possible, we opt for Linux/UNIX use wpa_supplicant as their underlying IEEE 802.1x/WPA Supplicant and generate a configuration file on the fly. As a result many network managers have similar configuration formats. In this section we will walk through generating a highest level of verification of the certificate pin for : manually pinning the Certificate used to authenticate hash of the VT RADIUS servers in eduroam. wpa_supplicant offers multiple mechanisms for certificate management. The ca_cert parameter can point we expect to a file which contains one or more CA certificates which will be used to validate the certificatepresented. With that option you also have the ability to specify a substring match The canonical form of the certificate's common name. Where possible, in our configurations we opted for a much stronger level of validation hash used by specifing many network managers is the SHA256 hash of the DER encoding of the certificate that we expect to see.
In order to generate the certificate hash, download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] (Unfortunately this site is only available to Virginia Tech IPs)
Validate that the downloaded certificate downloaded is in fact signed by the (Now Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain.
(TODO)
Then generate the sha256 hash (in the directory where the certificate downloaded to):
$ openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a -
Anonymous user