hostap/wpa_supplicant/examples/openCryptoki.conf

# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and
# openCryptoki (e.g., with TPM token)

# This example uses following PKCS#11 objects:
# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so  -O -l
# Please enter User PIN:
# Private Key Object; RSA
#   label:      rsakey
#   ID:         04
#   Usage:      decrypt, sign, unwrap
# Certificate Object, type = X.509 cert
#   label:      ca
#   ID:         01
# Certificate Object, type = X.509 cert
#   label:      cert
#   ID:         04

# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so

network={
	ssid="test network"
	key_mgmt=WPA-EAP
	eap=TLS
	identity="User"

	# use OpenSSL PKCS#11 engine for this network
	engine=1
	engine_id="pkcs11"

	# select the private key and certificates based on ID (see pkcs11-tool
	# output above)
	key_id="4"
	cert_id="4"
	ca_cert_id="1"

	# set the PIN code; leave this out to configure the PIN to be requested
	# interactively when needed (e.g., via wpa_gui or wpa_cli)
	pin="123456"
}