Ask Your Question
1

RSA certificate for WPA2

asked 2018-09-11 21:22:23 -0500

mb3 gravatar image

updated 2018-09-12 03:04:25 -0500

genodeftest gravatar image

My organization's WPA & WPA2 Enterprise secured wifi is prompting me (of course it has to be the Linux users only) for a CA certificate. It says Ubuntu users can just choose the USERTrust_RSA_CERTIFICATION_AUTHORITY.pem file in their /etc/ssl/certs folder. I cannot find that file listed in that folder for my Fedora 28 machine. Any advice? Also, what are these certificates doing? Your comments are much appreciated!

edit retag flag offensive close merge delete

Comments

see if you can find the certificate in ~/.cert

florian gravatar imageflorian ( 2018-09-11 22:17:33 -0500 )edit

my home directory doesn't have a .cert directory. I was able to find it in the bundled file though in /etc/ssl/certs, but that' different from Ubuntu. Am I just supposed to copy and paste the certificate out??

mb3 gravatar imagemb3 ( 2018-09-12 01:17:43 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-09-12 03:07:51 -0500

genodeftest gravatar image

On Fedora, CentOS and RHEL, .pem files lie somewhere below /etc/pki. You probably should put the file below /etc/pki/ca-trust/extracted.

edit flag offensive delete link more

Comments

I did find some pem files there but not the USERTrust one specifically. What do you think of the comment I posted to my question? Does that make sense?

mb3 gravatar imagemb3 ( 2018-09-12 03:40:48 -0500 )edit
0

answered 2018-09-12 00:13:25 -0500

As you have asked Any advice? Also, what are these certificates doing?

A standard implementation of WPA or WPA2 in enterprise environments ( Wi-FI Protectd Access ) is to use certificate-based authentication for wireless network access. For company-owned devices, it makes connecting to a company wireless network seamless - the required certificates are automatically installed at some point (during imaging/provisioning, via Group Policy, etc.), completely transparently to the end user. When a user goes to connect to a wireless network with their company-owned device, it already has the required certificate installed and trusted. (Depending on the configuration, the certificate alone may be enough, or it may require additional authentication in the way of domain credentials, or be based on the device itself, etc.) . The certificates in question for WPA-enterprise are usually generated by an internal certificate authority, rather than a public certificate authority, which means that personal devices don't trust the CA, because they don't know about it. The OEM of your device (Apple) preloads it with a list of trusted public CAs which provide certificates for public-facing services (https websites being the most ubiquitous example), but as your employer's wireless network is not public-facing, there's no reason for them to use such a certificate (and arguably, a few reasons for them not to).

For this reason, your device is prompting you with a warning that you're being offered a certificate from an untrusted/unverified source.

If you look at the certificate, it says the purpose is "Server Authentication." This indicates that the certificate is being used to authenticate a particular server on your company's network (either the WAP you're connecting to, or the RADIUS server that's doing Authentication, Authorization and Accounting (AAA) for wireless connections). Accepting this certificate will only make your device trust the server that the certificate is for. If your IT department decided to issue a cert for Google or whomever to intercept SSL traffic, your device would not automatically trust that certificate based on accepting this one, because this certificate is only used to authenticate a specific host. In order to do that, you would have to accept a certificate from the internal certificate authority.That being said, there is a very remote possibility that you're actually connecting to a rogue WAP that's only claiming to be one of your employer's. To determine whether the AP you're connecting to is legitimate or not, you'd probably want to ask your IT department. You could compare the certificate with one you know is valid (such as one that's installed on your company-owned device), or import the public certificate from your company's internal CA onto your personal device, but it's generally easier to just ask. (And if you're worried about your employer intercepting SSL traffic, you wouldn't want to import any internal CA certificates onto your device, of course.)

edit flag offensive delete link more

Comments

I really appreciate the effort you put into this. Thank you so much!

mb3 gravatar imagemb3 ( 2018-09-12 01:18:30 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-09-11 21:22:23 -0500

Seen: 21 times

Last updated: Sep 12