• State Answer Suggested
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 176 views
  • Users 0 members are here
Support feedback
Options
Options
Related

CC3235SF: EAP-TLS business certificate prompts CA unknown

Tao Ao
Prodigy 60 points
Part Number: CC3235SF
Other Parts Discussed in Thread: SHA-256

Tool/software:

Currently, we are utilizing the EAP-TLS functionality of the cc3235 module, and a self-signed certificate chain—including the intermediate certificate—can successfully establish a connection with the RADIUS server. However, when using a commercially signed certificate, the TLS handshake process prompts an "unknown CA" error. This commercial certificate is included in the trust list provided by the SDK, and we have verified its compatibility with TLS communication in our application, confirming that it is recognized by NWP. Therefore, we would like to understand how to properly validate the commercial certificate in EAP-TLS mode.

The organization we use the root certificate is
CN = DigiCert Global Root G2
OU = www.digicert.com
O = DigiCert Inc
C = US

  • 0
    Guru 80025 points

    Hi Tao,

    This will likely not work. CC32xx supports for EAP security TLS 1.0 only. And according TLS 1.0 standard is SHA-1 supported only. But your "DigiCert Global Root G2" is a SHA-256 certificate.

    Jan

  • 0 in reply to Jan D
    Prodigy 60 points

    Thank you for your reply. Please review the attached file, in which we have generated the certificate internally. the self-signed SHA-256 certificate can be recognized by EAP-TLS, thereby enabling a successful connection to the access point.Certificate-generation-script.zip

  • 0 in reply to Tao Ao
    Guru 80025 points

    Hi,

    OK, thank you for information that you tested with your self signed SHA-256 certificate.

    Do you have uploaded Digicert CA inside filesystem ("/sys/cert/ca.der")? I suppose yes, but please confirm this.

    Jan

  • 0 in reply to Jan D
    Prodigy 60 points

    Yes, I have placed the CA certificate in the appropriate location. The certificate I generated, based on the attached file above, can be successfully linked to the server.

  • 0 in reply to Tao Ao
    Guru 80025 points

    Hi,

    Hard to say why this is failing. Do you have latest ServicePack inside device? If so, maybe you can try to capture NWP log. NWP log can decode TI employees, and maybe they can find some clue inside log. More details about NWP log you can find at SWRU455 chapter 20.

    Wait for answer from TI side. Meanwhile you can prepare NWP log if they ask for them.

    Jan

  • 0
    TI__Intellectual 930 points

    Hi Tao,

    Can you capture and share an NWP log? I want to see if there are additional details on how the handshake failed. The thing is, based on the image you are showing me, the lack of trust of the certificate chain is on the server side (I see access challenge on the top right), so the server is the one rejecting the certificate chain. Is there a way for you to add the DigiCert Global Root G2 to the trust store of the radius server if you haven't already?