xref: /freebsd/contrib/wpa/wpa_supplicant/examples/openCryptoki.conf (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and
2# openCryptoki (e.g., with TPM token)
3
4# This example uses following PKCS#11 objects:
5# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so  -O -l
6# Please enter User PIN:
7# Private Key Object; RSA
8#   label:      rsakey
9#   ID:         04
10#   Usage:      decrypt, sign, unwrap
11# Certificate Object, type = X.509 cert
12#   label:      ca
13#   ID:         01
14# Certificate Object, type = X.509 cert
15#   label:      cert
16#   ID:         04
17
18# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
19pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
20pkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so
21
22network={
23	ssid="test network"
24	key_mgmt=WPA-EAP
25	eap=TLS
26	identity="User"
27
28	# use OpenSSL PKCS#11 engine for this network
29	engine=1
30	engine_id="pkcs11"
31
32	# select the private key and certificates based on ID (see pkcs11-tool
33	# output above)
34	key_id="4"
35	cert_id="4"
36	ca_cert_id="1"
37
38	# set the PIN code; leave this out to configure the PIN to be requested
39	# interactively when needed (e.g., via wpa_gui or wpa_cli)
40	pin="123456"
41}
42