Changes
m
In order to generate the sha256 hash of the DER encoded certificate, download Validate that the certificate downloaded is in fact signed by clicking the "Download" link on the (Obsolete) [https://ashsecure.hosting.vt.eprovedu/www.setipki.vt.edu/EJBCAWebRequestdeveloper/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] Validate that the certificate downloaded is in fact signed by the rootca.html#globalserver Virginia Tech Certificate Authority:Global Server CA] chain.
→Certificate pinning: Clean up the language a bit
Many network managers for Linux/UNIX use wpa_supplicant as their underlying IEEE 802.1x/WPA Supplicant and generate a configuration file on the fly. As a result many network managers have similar configuration formats. In this section we will walk through generating a certificate pin for the Certificate used to authenticate the VT RADIUS servers in eduroam.
wpa_supplicant offers multiple mechanisms for certificate management. The ca_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name. Where possible, in our configurations we opted for a much stronger level of validation by specifing the hash of the certificate that we expect to see.
In our configuration we opted for a much stronger level of validation where in we specify order to generate the certificate hash of , download the certificate that we expect to see. When using this method of certificate validation, you specify by clicking the "Download" link on the ca_cert parameter as hash[https://serverash.eprov.seti.vt.edu/sha256EJBCAWebRequest/<sha256 hash of DER encoded certificate>.certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] (Unfortunately this site is only available to Virginia Tech IPs)
(TODO)
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS rotates the certificates being used, the configuration will need to be updated to match the new certificate.
====A word of caution====