0

I am new to PKI, digital certificates etc and will be the first time to connect a medical wireless device to a wireless network using EAP-TLS.
I am connecting a medical wireless device to our customer's hospital wireless network with the below set up:

Root CA > Intermediate CA > Intermediate CA > User Certificate

Does the medical device require the entire chain, just the root CA, or just the intermediate chain?

Also, the medical wireless device that I have, have the following fields that needs to be filled out by the hospital's IT:

CA-CERT:
Client Cert:
Private Key:
Password:

I would presume the CA-CERT would contain the hospital's certificate issued to this device (possibly with the entire chain) but I am not really sure what the Client Cert, Private Key and Password will contain?

Anders
  • 64,406
  • 24
  • 178
  • 215
OLI11E
  • 3
  • 2
  • 1
    please browse a little bit before posting questions http://security.stackexchange.com/questions/47932/why-is-a-ca-certificate-required-for-eap-tls-clients , still a am replying in answer for you – Arjun sharma Oct 27 '16 at 06:12
  • It would be wise to put the intermediates in the same CA Cert file, otherwise the device will be unable to build a trust chain back to the trust anchor (root certificate). – flashbang Oct 27 '16 at 14:29

2 Answers2

1

CA-CERT: I would presume the CA-CERT would contain the hospital's certificate issued to this device (possibly with the entire chain)

No, this is actually the root CA certificate for which the server will send a certificate chain to authenticate to the client. This prevents the client from connecting to a fake access point.

Client Cert: A certificate chain from a root CA the server trusts that shows that the owner of the private key (next) is actually this device.

Private Key: The private key that only this device knows and which identifies the device.

Password: This is a password which protects the private key.

So to clarify: The server and client both authenticate to each other.

CA-CERT will be used to authenticate the server to the client.

Client Cert, Private Key and Password will be used to authenticate the client to the server.

Elias
  • 1,915
  • 1
  • 9
  • 17
  • Hi Elias, can I ask what the "Identity" field is, and why the Password field is grayed out for this medical device? I have always thought that these are the user created in AD? – OLI11E Nov 09 '16 at 13:55
0

In general as in most of the cases generic terminology means :-

CA-CERT : It is the Root certificate of the certificate chain the EAP server is going to test , it helps user to protect from EVIL-TWIN type of attack by not allowing TLS handshake from non trusted Authentication servers

Client Cert : - It is the Chain of certificate( or individual certificate) that you will be sending to Authentication server for EAP negotiation , depth of chain depends on how you AS is expecting

Private key :- It is the secret key to protect you Private key , used while deploying your user certificate on device

Arjun sharma
  • 660
  • 3
  • 20