我想将 WPA 请求者配置为使用 TPM 2.0 托管证书进行身份验证,以便连接到公司网络。
我创建了由我的 TPM 管理的 RSA 密钥对,生成了 CSR 并收到了由公司 CA 签名的证书。现在我需要配置 WPA 请求者以使用此证书,发现只有 1 个对 TPM 1.0 有效的示例:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/examples/openCryptoki.conf
# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and
# openCryptoki (e.g., with TPM token)
# This example uses following PKCS#11 objects:
# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so -O -l
# Please enter User PIN:
# Private Key Object; RSA
# label: rsakey
# ID: 04
# Usage: decrypt, sign, unwrap
# Certificate Object, type = X.509 cert
# label: ca
# ID: 01
# Certificate Object, type = X.509 cert
# label: cert
# ID: 04
# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so
network={
ssid="test network"
key_mgmt=WPA-EAP
eap=TLS
identity="User"
# use OpenSSL PKCS#11 engine for this network
engine=1
engine_id="pkcs11"
# select the private key and certificates based on ID (see pkcs11-tool
# output above)
key_id="4"
cert_id="4"
ca_cert_id="1"
# set the PIN code; leave this out to configure the PIN to be requested
# interactively when needed (e.g., via wpa_gui or wpa_cli)
pin="123456"
}
当我更改pkcs11_engine_path与pkcs11_module_pathTPM 2.0 兼容实用程序的路径时,如何在此配置中使用我的证书?我也应该让它由 TPM 管理吗?如何管理?
提前感谢您的帮助。
