Hi Jouni, Could you please help me to sort out the issue in configuring 2 server certificates at hostapd. The already configured server certificate is about to be expired and requirement is to support both old and new certifcates during the transition period. >How did you try to configure this? Did you follow the example and documentation shown in hostapd/hostapd.conf for server_cert2/private_key2/private_key_passwd2? Yes, as per the documentation in hostapd.conf, I configured it as below. ca_cert is having the certificate authority for both of these certificates ca_cert=/tmp/certs/ca-chain.cert.pem server_cert=/tmp/certs/radiussrv.cert.pem private_key=/tmp/certs/radiussrv.key.pem private_key2=/tmp/tstserver.p12 private_key_passwd2=gwvajjjkgnap With debug prints, we usually get the configured certificate dump after hostapd initialization in hostapd:tls_global_set_params(). So there it dumps only the 2nd certificate .i.e. 1st certificate is always overwritten. I was able to connect with both of these certificates if it is configured individually. Issue happens when 2 certificates are configured at a time. So is it really possible for configuring 2 certificates at server side so that based on client capability it connects with appropriate certificates ? >Please also note the comment about the number of deployed station/supplicant implementations having interoperability issues with this capability. So does that mean we should not go for this option ? Regards, Jincy S Sam On Sun, Oct 17, 2021 at 9:49 AM Hello Users <hellousers1987@xxxxxxxxx> wrote: > > Thanks Jouni for your reply. > > >How did you try to configure this? Did you follow the example and > documentation shown in hostapd/hostapd.conf for > server_cert2/private_key2/private_key_passwd2? > > Yes, as per the documentation in hostapd.conf, I configured it as > below. ca_cert is having the certificate authority for both of these > certificates > ca_cert=/tmp/certs/ca-chain.cert.pem > server_cert=/tmp/certs/radiussrv.cert.pem > private_key=/tmp/certs/radiussrv.key.pem > private_key2=/tmp/tstserver.p12 > private_key_passwd2=gwvajjjkgnap > > With debug prints, we usually get the configured certificate dump > after hostapd initialization in hostapd:tls_global_set_params(). So > there it dumps only the 2nd certificate .i.e. 1st certificate is > always overwritten. I was able to connect with both of these > certificates if it is configured individually. Issue happens when 2 > certificates are configured at a time. > So is it really possible for configuring 2 certificates at server side > so that based on client capability it connects with appropriate > certificates ? > > > >Please also note the comment about the number of deployed station/supplicant > implementations having interoperability issues with this capability. > > So does that mean we should not go for this option ? > > Thanks and regards. > > On Sat, Oct 16, 2021 at 2:25 AM Jouni Malinen <j@xxxxx> wrote: > > > > On Mon, Oct 11, 2021 at 06:10:11PM +0530, Hello Users wrote: > > > Please help me in understanding the below feature. > > > As per hostapd 2.9 change logs, it mentions support to configure 2 > > > server certificates/keys(RSA/ECC). But when I tried to configure, it > > > only took/connected with the 2nd configured certificate. The 1st > > > configured certificate is always overwritten. What needs to be done > > > here to get the client connected with either of the certificates? > > > > How did you try to configure this? Did you follow the example and > > documentation shown in hostapd/hostapd.conf for > > server_cert2/private_key2/private_key_passwd2? > > > > Please also note the comment about number of deployed station/supplicant > > implementations having interoperability issues with this capability. > > > > -- > > Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
