| # EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and |
| # openCryptoki (e.g., with TPM token) |
| |
| # This example uses following PKCS#11 objects: |
| # $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so -O -l |
| # Please enter User PIN: |
| # Private Key Object; RSA |
| # label: rsakey |
| # ID: 04 |
| # Usage: decrypt, sign, unwrap |
| # Certificate Object, type = X.509 cert |
| # label: ca |
| # ID: 01 |
| # Certificate Object, type = X.509 cert |
| # label: cert |
| # ID: 04 |
| |
| # Configure OpenSSL to load the PKCS#11 engine and openCryptoki module |
| pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so |
| pkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so |
| |
| network={ |
| ssid="test network" |
| key_mgmt=WPA-EAP |
| eap=TLS |
| identity="User" |
| |
| # use OpenSSL PKCS#11 engine for this network |
| engine=1 |
| engine_id="pkcs11" |
| |
| # select the private key and certificates based on ID (see pkcs11-tool |
| # output above) |
| key_id="4" |
| cert_id="4" |
| ca_cert_id="1" |
| |
| # set the PIN code; leave this out to configure the PIN to be requested |
| # interactively when needed (e.g., via wpa_gui or wpa_cli) |
| pin="123456" |
| } |