Mobile Jon Posted June 12 Share Posted June 12 I wanted to post something here because in some verticals like retail, some people are just moving to Android 11 now (I know of a very large retailer where this is the case). Starting in Android 11, Google is starting to validate the RADIUS certificate chain for devices using EAP-TLS (Cert-Based Auth for WiFi). One of the more common things over the years going back to the SEG days is people do not know how to build certificates correctly. Often, we just get the certificate from the security team and move on, but you end up having to rip apart the PFX to build the chain correctly. I'll throw this here just for others: Re-create the PFX: ##Extract the Key## openssl pkcs12 -in test.pfx -nocerts -out test.key ##Extract the CER## openssl pkcs12 -in test.pfx -clcerts -nokeys -out test.cer ##Decrypt the Private Key## openssl rsa -in test.key -out test-decrypted.key After you do that, you open up the test.cer in Notepad++ preferably and paste in the text of your intermediate certs followed by your root certificates and save it. Once that is done, you re-create your PFX: ##Create a PFX## openssl pkcs12 -export -out test.pfx -inkey test-decrypted.key -in test.cer -certfile cert-chain.pem For the Android issue, you don't need to re-create the PFX. You just need to upload that test.cer. In additional leverage the KB article for reference below to push down the SDK settings to your Android Intelligent Hub to ensure WiFi supports a full client certificate chain. KB Article for reference: AAGNT-195041 - Certificates incorrectly installed for WPA2 Enterprise WiFi for Android 11+ (89264) (omnissa.com) 4 Quote Link to comment Share on other sites More sharing options...
Employee Julien GOINDIN Posted June 14 Employee Share Posted June 14 Glad to see you onboard @Mobile Jon! Quote Technical Adoption Manager Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.