Linux Manual Configuration
Configuring SCEP certificate on a Linux machine
Work in Progress: Document under development, not final.
Certmonger is a certificate manager package. Open a Linux terminal and type the following command
sudo apt install certmonger
- Get foxpass certificate from https://console.foxpass.com/settings/eap-tls/ which will be under Server Certificate Authorities (Note: get the cert which is signed by the "active" CA).
- Place it and name it appropriately in the following path: /etc/ssl/api_foxpass_com.crt
SCEP unique endpoint can be found on the SCEP page. Obtain the CA certificate from the EAP-TLS page and save it to /etc/ssl/api_foxpass_com_ca.crt
by using the following command:
sudo /usr/lib/certmonger/scep-submit -u [https://api.foxpass.com/scep/<unique-id>](https://api.foxpass.com/scep/<SCEP-UNIQUE-ENDPOINT>) -R /etc/ssl/api_foxpass_com.crt -C > /etc/ssl/api_foxpass_com_ca.crt
sudo getcert add-scep-ca -c foxpass -u [https://api.foxpass.com/<unique-id>](https://api.foxpass.com/<SCEP-UNIQUE-ENDPOINT>) -R /etc/ssl/api_foxpass_com.crt [-r /etc/ssl/api_foxpass_com_ca.crt] -N /etc/ssl/api_foxpass_com_ca.crt
sudo getcert request -k <private key file> -f <public key file> -c foxpass -N $(hostname) -E <EMAIL> -w -L <Challenge Phrase> -m 600 -P <PIN>
nmcli c add type wifi ifname <wifi NIC> con-name '<Name>'\
802-11-wireless.ssid '<SSID>' \
802-11-wireless-security.key-mgmt wpa-eap \
802-1x.eap tls \
802-1x.identity '<' \
802-1x.ca-cert /etc/ssl/api_foxpass_com_ca.crt \
802-1x.client-cert <public key file> \
802-1x.private-key <private key file> \
802-1x.private-key-password <PIN>
- Make sure you have necessary permissions for the
api_foxpass_com.crt
file. - If you run in error like verify
error:num=20:unable to get local issuer certificate
in Step 3, make sure you have updated certificate authorities on your linux system. If not you can update the package and CA certificates:
sudo apt update
sudo apt install ca-certificates
sudo update-ca-certificates
- If you don't want the private key to have a password then you can remove the
802-1x.private-key-password <PIN>
and add this parameter instead.
802-1x.private-key-password-flags 4
Updated 9 days ago