Develop Reference

hostapd eap configuration with Let's Encrypt Certificate

I' trying to get hostapd working with eap-peap and a Let's encrypt certificate. When connecting with my Android phone though, it does not connect and complains the certificate was expired.
hostapd logs
wlan0: STA <mac> IEEE 802.11: authenticated
wlan0: STA <mac> IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED <mac>
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
SSL: SSL3 alert: read (remote end reported an error):fatal:certificate expired
OpenSSL: openssl_handshake - SSL_connect error:0A000415:SSL routines::sslv3 alert certificate expired
wlan0: CTRL-EVENT-EAP-FAILURE <mac>
wlan0: STA <mac> IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA <mac> IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
wlan0: STA <mac> IEEE 802.11: deauthenticated due to local deauth request
Client configuration
EAP Method: PEAP
Identity:
Password:
CA-Certificate: Use System Certificate
Domain:
Phase2 Authentication: MSCHAPV2
Anonymous Identity:
When configuring the CA-Certificate validation mode to "no validation" however, the connection works flawlessly.
Certificate
> openssl x509 -in /etc/hostapd/certs/server.pem -text
[...]
Validity
Not Before: Jan 29 09:40:58 2023 GMT
Not After : Apr 29 09:40:57 2023 GMT
Subject: CN = <domain>
[...]
hostapd.conf
# EAP Settings
eap_server=1
ieee8021x=1
eapol_version=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP
rsn_pairwise=CCMP
eap_user_file=/etc/hostapd/hostapd.eap_user
ca_cert=/etc/hostapd/certs/ca.pem
server_cert=/etc/hostapd/certs/server.pem
private_key=/etc/hostapd/certs/server.key
hostapd.eap_user
# Wildcard for all other identities
* PEAP,TTLS,TLS
# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
"testaccount1" MSCHAPV2 "SuperSecretPassword1" [2]
On my Windows machine, these settings work flawlessly, the certificate is presented to me and I can decide to accept it (or not). However, the validation method is very different on Windows.
I'm therefore wondering if any of you have experience with this on Android.
I'm also confused with the lines
wlan0: STA <mac> IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA <mac> IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
This looks to me like I misconfigured somethin in eap_user - but then again it is working as long as certificate validation is not enabled.

For anyone looking for an answer to this:
Above configuration actually works flawlessly with Windows and iOS. Only getting Android to work requires a different configuration in hostapd.conf and on the Android device:
in hostapd.conf:
For ca_cert, download the Root-CA that is used in the certificate chain for signature of the intermediate CA which signed your server.pem. In my case, this was ISRG Root X1. All Let's Encrypt certificates are available on https://letsencrypt.org/de/certificates/
For server_cert, the fullchain.pem file is used, containing the server certificate and the intermediate certificate chain.
on Android:
Download the same Root CA and add it specifically as Wifi Certificate. This certificate needs to be selected when connecting.
It appears as if Android does not use the system certificate store or the system certificate store for wifi certificates does not contain the Let's Encrypt Root CA. Therefore, this CA needs to be added manually rendering the process on android much more complicated on unmanaged devices.

Requirements for root CA certificate to add in iOS

I issued my own CA certificate to enable https for my development environment.
On my Windows PC i was able to add my root CA. On iOS i can install it and it shows that it is verified but when i go to General -> About -> Certificate Trust Settings the certificate does not show up.
Some information about the root CA.
Input:
openssl x509 -in ca.pem -text -noout
Output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
[...]
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = Some-Country, ST = Some-State, O = Some-Company
Validity
Not Before: Jul 7 18:45:56 2022 GMT
Not After : Jul 4 18:45:56 2032 GMT
Subject: C = Some-Country, ST = Some-State, O = Some-Company
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
[...]
X509v3 Authority Key Identifier:
keyid:[...]
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
[...] ```

My mistake was that the root CA I created was valid for 10 years. Since 1st September 2020 Apple limits the validity period to a maximum of 397 days.
Source: https://support.apple.com/en-us/HT211025

signtool.exe sometimes cannot use certificate due to private key filter

On our build servers we use signtool.exe to sign our artifacts.
The same arguments are passed to signtool.exe each time, but it fails or passes sporadically due to our certificate not being used because of a "private key filter".
We have been using this process for a while but we started seeing failures the morning of March 27, 2019.
We start the signtool.exe process with the following arguments:
sign /fd sha256 /f "cert.p12" /p certPass /du hostSiteHere /v /debug /tr timeStampUrl "fileNames"
Specifications
- signtool.exe is from the windows 10 sdk
- build servers are hosted in AWS as windows 2016 server ec2 instances
- jenkins (v2.1.68) runs the builds using the amazon ec2 plugin (v1.42)
The logs, depending on if it passes or fails:
PASS
The following certificates were considered:
Issued to: myCompany, Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Wed Oct 30 12:00:00 2019
SHA1 hash: myCertSha1Hash
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
Issued to: myCompany, Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Wed Oct 30 12:00:00 2019
SHA1 hash: myCertSha1Hash
The following additional certificates will be attached:
Issued to: DigiCert SHA2 Assured ID Code Signing CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Oct 22 12:00:00 2028
SHA1 hash: digiCertSigningSha1Hash
Done Adding Additional Store
FAIL
The following certificates were considered:
Issued to: myCompany, Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Wed Oct 30 12:00:00 2019
SHA1 hash: myCertSha1Hash
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 0 certs were left.
No certificates were found that met all the given criteria.
Odd behaviors to note:
the same ec2 instance can work successfully and then fail later
an ec2 instance failing may start working if a user RDPs into the ec2 instance
the same certificate, signtool.exe and arguments are being passed every time

thin rails server/eventmachine on windows does not work with custom certificate

After building my own eventmachine/thin with SSL support on windows (Install OpenSSL with Ruby for eventmachine on Windows 7 x86) I got another problem with SSL certificate: when I use build-in self-signed one thin works fine but it does not respond to any request while using corporate certificate
Here is my path for obtaining the certificate:
I generated private key with puttygen (ssl-private.key)
I generated CSR using following command:
openssl req -out ssl.csr -key ssl-private.key -new
I sent CSR to CA and received P7B file
I converted P7B using following command:
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt
What could go wrong here?
What have I checked:
openssl rsa -in ssl-private.key -check
says "RSA key ok"
openssl x509 -in cert.crt -text -noout
says
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
***
Signature Algorithm: sha1WithRSAEncryption
Issuer: ***
Validity
Not Before: Feb 16 08:47:25 2004 GMT
Not After : Feb 16 08:55:36 2024 GMT
Subject: ***
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
***
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
***
while the same check made on self-signed cert, created using
openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
says
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
***
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Validity
Not Before: Jun 24 14:42:07 2015 GMT
Not After : Jun 23 14:42:07 2016 GMT
Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
***
ok some change: I have changed certs order in crt file so that final cert is not last but first and the result is different: chrome drops an error of NET::ERR_CERT_INVALID, IE similar and both does not navigate further
openssl s_client output (looks ok, *** Root CA 1 is trusted in windows):
Loading 'screen' into random state - done
CONNECTED(000001E8)
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=***/ST=***/O=***/CN=***.com
i:/DC=com/DC=***/CN=*** Enterprise CA 1
1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
i:/DC=com/DC=***/CN=*** Root CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=***/ST=***/O=***/CN=***.com
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 665 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket: ***
Start Time: 1435319943
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
I have made a simple https server (lib/emtestssl):
require 'rubygems'
require 'bundler/setup'
Bundler.require
class ServerHandler < EM::Connection
def post_init
puts "post_init"
start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false
end
def receive_data(data)
puts "Received data in server: #{data}"
send_data("HTTP/1.1 200 OK\n\nHello world!")
close_connection_after_writing
end
end
EventMachine.run do
puts 'Starting server...'
EventMachine.start_server('145.245.202.233', 443, ServerHandler)
end
it works fine without tls, with tls browser won't allow to connect :(
as per http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify private key and certificate do match

it looks like (patched) eventmachine is completely fine: i have taken key/cert pair from existing server and (after a url mismatch warning from the browser) it works fine
after comparing the certificates it looks like my CA has failed and brought me a cert with wrong properties: working one is described as Server Authentication (1.3.6.1.5.5.7.3.1) while failing one is Client Authentication (1.3.6.1.5.5.7.3.2)
i will issue another csr and charge them for lost day... :/
maybe one important discovery is an order of certificates within cert file: one must go from the final cert to the root being at the end of the chain

MDM iPCU Profile Installation Failed in iOS SDK

I am doing a MDM vendor set up and having apple enterprise account for the same.But after completing all the steps I am getting an issue when I try to install the iPhone Configuration Utility file on the iPhone.We are getting an alert saying “Profile Installation Failed”.Please suggest what you suspect may be wrong.Following are the steps I followed for my profile creation.
For Vendor:
I created my vendor csr on my macbook called vendor.csr.
Email: My Enterprise Account Email.
Common Name: My Company Name.
Saved to Disk.
Uploaded the vendor.csr file to the enterprise account and downloaded the mdm.cer file from the account.
Loaded this certificate to the key chain.
Exported the .p12 file as private.p12 file.
Extracted Private key using command : openssl pkcs12 -in private.p12 -nocerts -out key.pem
Extracted Certificate : openssl pkcs12 -in private.p12 -clcerts -nokeys -out cert.pem
Convert the certificate to des form : openssl x509 -in cert.pem -inform PEM -out mdm.cer -outform DES
8.Stripped password from private key : openssl rsa -in key.pem -out private.key
For customer:
Now I created one more csr for push from the same macbook called push.csr.
Email: Company Support Email.
Common Name : Company Name Push
Saved to Disk.
Python Code :
Link: https://github.com/grinich/mdmvendorsign
I got the python code from the above link to get the plist encoded file from the files I generated above i.e. private.key, push.csr, mdm.cer.I renamed my files according to the command below and generated a plist encoded file.
Command : python mdm_vendor_sign.py --csr user_submitted_CSR.csr --key mdm_vendor_private.key --mdm mdm_certifiate_from_apple.cer
Push Cert :
Then I uploaded a plist encoded file on “https://identity.apple.com/pushcert/” and downloaded the resulting push certificate from there.
Installed the pushcert downloaded to the key chain and exported it in the p12 format and call it mdm.p12.
Converted the mdm.p12 to PEM format : openssl pkcs12 -in mdm.12 -out pushcert.pem -nodes
iPhone Configuration Utility :
I implemented three sections of iPCU. For server setup I am using RapidSSL for my server set up.
General
a. Name : My Company Private Limited
b. Identifier: com.mycompany.mdm.profile
c. Organization : My Company Name
d. Description : Version 1.0
e. Security : Always.
Credentials
Uploaded the pushcert.pem file generated at the last step of push cert work.
Mobile Device Management
a. Server URL : https://xyz.server
b Check In URL : https://xyz.checin
c. Topic :com.apple.mgmt.External.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
d. Identity : selected from credential.
Export iPCU -> None/SignConfigurationProfile (tried both).
Now this file is failing to install on the device when I send it through mail and I am getting message profile installation failed.What I understand from logs that the device is unable to make connection to the server.please suggest me how could I resolve that.
Device Logs:
Nov 27 19:02:21 iPhone profiled[114] <Notice>: (Note ) MC: Checking for MDM installation...
Nov 27 19:02:21 iPhone profiled[114] <Notice>: (Note ) MC: ...finished checking for MDM installation.
Nov 27 19:02:21 iPhone profiled[114] <Notice>: (Note ) MC: Beginning profile installation...
Nov 27 19:02:21 iPhone profiled[114] <Error>: SecTrustEvaluate [leaf AnchorTrusted]
Nov 27 19:02:23 iPhone locationd[63] <Notice>: Gesture EnabledForTopCLient: 0, EnabledInDaemonSettings: 0
Nov 27 19:02:24 iPhone locationd[63] <Notice>: Gesture EnabledForTopCLient: 0, EnabledInDaemonSettings: 0
Nov 27 19:02:24 iPhone profiled[114] <Error>: SecTrustEvaluate [leaf AnchorTrusted]
Nov 27 19:02:26 iPhone profiled[114] <Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
Desc : A connection to the server could not be established.
US Desc: A connection to the server could not be established.
Domain : MCHTTPTransactionErrorDomain
Code : 23001
Type : MCFatalError
Params : (
"https://mdm.myCompanyName.com/Service1.svc",
500
)
Nov 27 19:02:26 iPhone profiled[114] <Notice>: (Error) MC: Cannot install MDM “Mobile Device Management”. Error: NSError:
Desc : The payload “Mobile Device Management” could not be installed.
Sugg : A connection to the server could not be established.
US Desc: The payload “Mobile Device Management” could not be installed.
US Sugg: A connection to the server could not be established.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"Mobile Device Management"
)
...Underlying error:
NSError:
Desc : A connection to the server could not be established.
US Desc: A connection to the server could not be established.
Domain : MCHTTPTransactionErrorDomain
Code : 23001
Type : MCFatalError
Params : (
"https://mdm.myCompanyName.com/Service1.svc",
500
)
Nov 27 19:02:26 iPhone profiled[114] <Notice>: (Error) MC: Rolling back installation of profile “com.myCompanyName.mdm.profile”...
Nov 27 19:02:26 iPhone profiled[114] <Notice>: (Error) MC: Installation of profile “com.myCompanyName.mdm.profile” failed with error: NSError:
Desc : The profile “myCompanyName” could not be installed.
Sugg : The payload “Mobile Device Management” could not be installed.
US Desc: The profile “myCompanyName” could not be installed.
US Sugg: The payload “Mobile Device Management” could not be installed.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"myCompanyName"
)

The certificate you generated with your MDM vendor cert from Apple isn't used for device authentication. It's used for that particular server to send notifications to APNs.
The identity in iPCU (Which was deprecated long ago) is for a client certificate. Also remember that all TLS certificates need to be valid and trusted. Your server is rejecting the client with a HTTP 500, so I would start investigating the server logs as to why.
Really though if you are developing your own MDM solution I would open a DTS incident with Apple. The API documents are only published to folks in the Enterprise Developer Program and not publicly available. Rather than here, the MDM section of the Apple Developer Forums is probably a better place to discuss it.