Update PKCS#11 references in template wpa_supplicant.conf
Ditch the legacy syntax and manual engine mangling and just give an example using simple PKCS#11 URIs that'll work with both GnuTLS and OpenSSL. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
This commit is contained in:
parent
c3d7fb7e27
commit
f7cb6e9f24
1 changed files with 15 additions and 17 deletions
|
@ -168,10 +168,13 @@ ap_scan=1
|
|||
fast_reauth=1
|
||||
|
||||
# OpenSSL Engine support
|
||||
# These options can be used to load OpenSSL engines.
|
||||
# These options can be used to load OpenSSL engines in special or legacy
|
||||
# modes.
|
||||
# The two engines that are supported currently are shown below:
|
||||
# They are both from the opensc project (http://www.opensc.org/)
|
||||
# By default no engines are loaded.
|
||||
# By default the PKCS#11 engine is loaded if the client_cert or
|
||||
# private_key option appear to be a PKCS#11 URI, and these options
|
||||
# should not need to be used explicitly.
|
||||
# make the opensc engine available
|
||||
#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
|
||||
# make the pkcs11 engine available
|
||||
|
@ -480,6 +483,10 @@ fast_reauth=1
|
|||
# (EAP-TLS). Full path to the file should be used since working
|
||||
# directory may change when wpa_supplicant is run in the background.
|
||||
#
|
||||
# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
|
||||
#
|
||||
# For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
|
||||
#
|
||||
# Alternatively, a named configuration blob can be used by setting
|
||||
# this to blob://blob_name.
|
||||
#
|
||||
|
@ -490,6 +497,9 @@ fast_reauth=1
|
|||
# used since working directory may change when wpa_supplicant is run
|
||||
# in the background.
|
||||
#
|
||||
# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
|
||||
# For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
|
||||
#
|
||||
# Windows certificate store can be used by leaving client_cert out and
|
||||
# configuring private_key in one of the following formats:
|
||||
#
|
||||
|
@ -1587,22 +1597,10 @@ network={
|
|||
group=CCMP TKIP
|
||||
identity="user@example.com"
|
||||
ca_cert="/etc/cert/ca.pem"
|
||||
client_cert="/etc/cert/user.pem"
|
||||
|
||||
engine=1
|
||||
|
||||
# The engine configured here must be available. Look at
|
||||
# OpenSSL engine support in the global section.
|
||||
# The key available through the engine must be the private key
|
||||
# matching the client certificate configured above.
|
||||
|
||||
# use the opensc engine
|
||||
#engine_id="opensc"
|
||||
#key_id="45"
|
||||
|
||||
# use the pkcs11 engine
|
||||
engine_id="pkcs11"
|
||||
key_id="id_45"
|
||||
# Certificate and/or key identified by PKCS#11 URI (RFC7512)
|
||||
client_cert="pkcs11:manufacturer=piv_II;id=%01"
|
||||
private_key="pkcs11:manufacturer=piv_II;id=%01"
|
||||
|
||||
# Optional PIN configuration; this can be left out and PIN will be
|
||||
# asked through the control interface
|
||||
|
|
Loading…
Reference in a new issue