eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA

Dario Barbon dbarbon at olicom.eu
Tue Jan 9 09:44:06 UTC 2024

Hi Kamil, to configure my private CA I did this operations:

1) edited the ca.cnf file provided by FreeRadius with organization 
relevant values (default_days, input and output password, country_name, 
stateOrProvinceName, localityName, organizationName, emailAddress and 

2) executed the make command to generate "ca.pem", "ca.der", "printca", 
"dh" files

3) edited the server.cnf file provided by FreeRadius (default_days, 
input and output password)

4) executed the make command to generate "server.pem" file

5) edited the Makefile in order to execute the following openssl 
commands to create client certificates (the reference for this changes 
is the TechTalk tutorial posted in the previous mail)

    client.p12: client.crt
         openssl pkcs12 -export -in client.crt -inkey client.key -out
    client.p12  -passin pass:$(PASSWORD_CLIENT) -passout
         cp client.p12 $(USER_NAME).p12

    client.pem: client.p12
         openssl pkcs12 -in client.p12 -out client.pem -passin
    pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
         cp client.pem $(USER_NAME).pem

    client_android.p12: client.crt
         openssl pkcs12 -export -in client.crt -inkey client.key
    -certfile ca.pem -name "$(USER_NAME)" -out client_android.p12
    -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
         cp client_android.p12 $(USER_NAME)_android.p12

6) edited the client.cnf file provided by FreeRadius ( default_days, 
input and output password, countryName, stateOrProvinceName, 
localityName, organizationName, emailAddress, commonName)

7) executed the make command to generate client certificates with .p12 

To install the client certificate on Android devices we usually copy p12 
files inside Download folder and tap on file to extract the certificate 
specifiying WiFi as type. To configure the WiFi profile on device, we 
chose EAP-TLS and we select the just installed certificate both on CA 
dropdown and client dropdown. Identity and Domain field are filled with 
"commonName" value.

All certs are stored inside "freeradius/certs" directory.


Dario Barbon

Il 08/01/2024 19:18, Kamil Jońca ha scritto:
> Dario Barbon <dbarbon at olicom.eu> writes:
>> Hi Kamil, I generated the certificates by following this tutorial
>> ("configure EAP-TLS" section):
>> https://techtalkblog.ch/ubuntu-18-04-freeradius-v3-wifi-authentication/
> I did not ask you for link but for steps you did.
> Moreover this howto might be obsolete because
> "openssl pkcs12" with openssl3.0 sometimes needs "-legacy" option i.e.
> openssl pkcs12 -legacy -export -in ... -certfile  ...-inkey ... -out ...
>> I'm not thinking that certificates are deleted ... I saw this happens
>> many times! And it happens (in my limited experience) always with
>> Android 11 devices.
>> Sometimes users deleted the WiFi connection: that action deletes also
>> WiFi user installed certificates. Sometimes, after a bunch of
>> unsuccessful connection tries, Android 11 devices deletes
>> certificates.
> Tested now: TCL NXT paper - (Android 11)  - no such thing happened,
> after "forgetting" connection certificates remains, and can be used to
> redefine connection.
> As Alan said: either you do something wrong (this is my susppect) or you
> found SERIOUS bug in android supplicant (I doubt)
> KJ
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list