On Sun, Feb 16, 2020 at 11:08:56AM -0800, Ben Greear wrote: > On 02/16/2020 06:28 AM, Jouni Malinen wrote: > > On Fri, Feb 07, 2020 at 01:10:15AM -0800, greearb@xxxxxxxxxxxxxxx wrote: > > > @@ -180,12 +183,35 @@ ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI" > > > cat my-openssl.cnf | > > > sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" | > > > sed "s/^##organizationalUnitName/organizationalUnitName/" | > > > - sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | > > > + sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Server/" | > > > > Why? > > So it is easier to know which cert is which? But there is not supposed to be more than a single certificate.. > > What is the purpose of creating yet another server certificate? This > > does not sound like something that an operator would do (pay a CA > > for..). The same OSU server certificate would be expected to be used > > both on the AAA server for OSEN and the OSU server. > > I was having issues getting apache configured properly, and it was easier to debug > the problem if I had different certs for different virtual instances. That way, I knew > which apache instance was complaining. > > These certs are all self signed and fake anyway, and it is very difficult in my experience > to set this up and debug problems among all of the different components, so anything that > makes it easier to debug seems useful to me. > > Let me know if you want this change, and I'll split it up as you suggested above if so, > otherwise, just drop the whole thing. I'd rather keep the examples in hostap.git such that they match how Hotspot 2.0 OSU would actually be deployed, so no, I do not want to split this in a manner that would come up with two different server certificates when the real deployment would use a single one. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
