1*39beb93cSSam Leffler# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and 2*39beb93cSSam Leffler# openCryptoki (e.g., with TPM token) 3*39beb93cSSam Leffler 4*39beb93cSSam Leffler# This example uses following PKCS#11 objects: 5*39beb93cSSam Leffler# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so -O -l 6*39beb93cSSam Leffler# Please enter User PIN: 7*39beb93cSSam Leffler# Private Key Object; RSA 8*39beb93cSSam Leffler# label: rsakey 9*39beb93cSSam Leffler# ID: 04 10*39beb93cSSam Leffler# Usage: decrypt, sign, unwrap 11*39beb93cSSam Leffler# Certificate Object, type = X.509 cert 12*39beb93cSSam Leffler# label: ca 13*39beb93cSSam Leffler# ID: 01 14*39beb93cSSam Leffler# Certificate Object, type = X.509 cert 15*39beb93cSSam Leffler# label: cert 16*39beb93cSSam Leffler# ID: 04 17*39beb93cSSam Leffler 18*39beb93cSSam Leffler# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module 19*39beb93cSSam Lefflerpkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so 20*39beb93cSSam Lefflerpkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so 21*39beb93cSSam Leffler 22*39beb93cSSam Lefflernetwork={ 23*39beb93cSSam Leffler ssid="test network" 24*39beb93cSSam Leffler key_mgmt=WPA-EAP 25*39beb93cSSam Leffler eap=TLS 26*39beb93cSSam Leffler identity="User" 27*39beb93cSSam Leffler 28*39beb93cSSam Leffler # use OpenSSL PKCS#11 engine for this network 29*39beb93cSSam Leffler engine=1 30*39beb93cSSam Leffler engine_id="pkcs11" 31*39beb93cSSam Leffler 32*39beb93cSSam Leffler # select the private key and certificates based on ID (see pkcs11-tool 33*39beb93cSSam Leffler # output above) 34*39beb93cSSam Leffler key_id="4" 35*39beb93cSSam Leffler cert_id="4" 36*39beb93cSSam Leffler ca_cert_id="1" 37*39beb93cSSam Leffler 38*39beb93cSSam Leffler # set the PIN code; leave this out to configure the PIN to be requested 39*39beb93cSSam Leffler # interactively when needed (e.g., via wpa_gui or wpa_cli) 40*39beb93cSSam Leffler pin="123456" 41*39beb93cSSam Leffler} 42