until recently I ran a Hex S, which I used to generate my home-used certificates and which also served as CAPsMAN. I used EAP-TLS with the generated certificates and was using " verify-certificate-with-crl" as the TLS mode. Everything was working fine.
Then I wanted to switch to a more powerful router and got an RB4011 (without wifi). I exported and imported the certificates and realized that the CRL function didn't work anymore, since... well because apparently there is no way to move certificates between router boards with the whole PKI intact. Using EAP-TLS without the possibility to revoke certificates doesn't make much sense, so I decided to set up my own PKI on a separate system using CFSSL.
After importing them (I imported the whole certificate chain: Certificates, CA and intermediate CA) everything looked fine:
Code: Select all
/certificate print detail
...
9 KL T name="accesspoint.home.lan.p12_0" issuer="xxx" digest-algorithm=sha256 key-type=rsa
country="XX" state="XXX" locality="XXX" organization="XXX" unit="server" common-name="accesspoint.home.lan" key-size=2048
subject-alt-name=DNS:accesspoint.home.lan,IP:192.168.0.1 days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,tls-server
serial-number="XXX" fingerprint="XXX"
akid=XXX skid=XXX invalid-before=jun/28/2021 22:53:00 invalid-after=jun/26/2031 22:53:00
expires-after=520w2d5h32m3s
...
Code: Select all
/certificate crl print detail
Flags: E - expired, D - dynamic, I - invalid
0 D cert=accesspoint.home.lan.p12_0 url="http://myserver/crl" revoked=0 next-update=jul/06/2021 20:44:39 last-update=jul/05/2021 16:54:08
fingerprint="xxx"
signature="xxx"
1 D cert=NetworkCA url="http://myserver/crl" revoked=0 next-update=jul/06/2021 20:44:39 last-update=jul/05/2021 16:54:08
fingerprint="xxx"
signature="xxx"
Code: Select all
3 name="XXX" authentication-types=wpa2-eap encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m eap-methods=eap-tls tls-mode=verify-certificate
tls-certificate=accesspoint.home.lan.p12_0
Code: Select all
XX:XX:XX:XX:XX:XX@SSID disconnected, EAP failure
P.S.
I run 6.48.3 and:
Code: Select all
/certificate settings print
crl-download: yes
crl-use: yes
crl-store: ram