Hi Kamil, to configure my private CA I did this operations: 1) edited the ca.cnf file provided by FreeRadius with organization relevant values (default_days, input and output password, country_name, stateOrProvinceName, localityName, organizationName, emailAddress and commonName) 2) executed the make command to generate "ca.pem", "ca.der", "printca", "dh" files 3) edited the server.cnf file provided by FreeRadius (default_days, input and output password) 4) executed the make command to generate "server.pem" file 5) edited the Makefile in order to execute the following openssl commands to create client certificates (the reference for this changes is the TechTalk tutorial posted in the previous mail) client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.p12 $(USER_NAME).p12 client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem client_android.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.pem -name "$(USER_NAME)" -out client_android.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client_android.p12 $(USER_NAME)_android.p12 6) edited the client.cnf file provided by FreeRadius ( default_days, input and output password, countryName, stateOrProvinceName, localityName, organizationName, emailAddress, commonName) 7) executed the make command to generate client certificates with .p12 extension. To install the client certificate on Android devices we usually copy p12 files inside Download folder and tap on file to extract the certificate specifiying WiFi as type. To configure the WiFi profile on device, we chose EAP-TLS and we select the just installed certificate both on CA dropdown and client dropdown. Identity and Domain field are filled with "commonName" value. All certs are stored inside "freeradius/certs" directory. Thanks Dario Barbon Il 08/01/2024 19:18, Kamil Jońca ha scritto:
Dario Barbon <dbarbon@olicom.eu> writes:
Hi Kamil, I generated the certificates by following this tutorial ("configure EAP-TLS" section): https://techtalkblog.ch/ubuntu-18-04-freeradius-v3-wifi-authentication/ I did not ask you for link but for steps you did.
Moreover this howto might be obsolete because
"openssl pkcs12" with openssl3.0 sometimes needs "-legacy" option i.e.
openssl pkcs12 -legacy -export -in ... -certfile ...-inkey ... -out ...
I'm not thinking that certificates are deleted ... I saw this happens many times! And it happens (in my limited experience) always with Android 11 devices.
Sometimes users deleted the WiFi connection: that action deletes also WiFi user installed certificates. Sometimes, after a bunch of unsuccessful connection tries, Android 11 devices deletes certificates. Tested now: TCL NXT paper - (Android 11) - no such thing happened, after "forgetting" connection certificates remains, and can be used to redefine connection.
As Alan said: either you do something wrong (this is my susppect) or you found SERIOUS bug in android supplicant (I doubt)
KJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html