1189251Ssam# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and
2189251Ssam# openCryptoki (e.g., with TPM token)
3189251Ssam
4189251Ssam# This example uses following PKCS#11 objects:
5189251Ssam# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so  -O -l
6189251Ssam# Please enter User PIN:
7189251Ssam# Private Key Object; RSA
8189251Ssam#   label:      rsakey
9189251Ssam#   ID:         04
10189251Ssam#   Usage:      decrypt, sign, unwrap
11189251Ssam# Certificate Object, type = X.509 cert
12189251Ssam#   label:      ca
13189251Ssam#   ID:         01
14189251Ssam# Certificate Object, type = X.509 cert
15189251Ssam#   label:      cert
16189251Ssam#   ID:         04
17189251Ssam
18189251Ssam# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
19189251Ssampkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
20189251Ssampkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so
21189251Ssam
22189251Ssamnetwork={
23189251Ssam	ssid="test network"
24189251Ssam	key_mgmt=WPA-EAP
25189251Ssam	eap=TLS
26189251Ssam	identity="User"
27189251Ssam
28189251Ssam	# use OpenSSL PKCS#11 engine for this network
29189251Ssam	engine=1
30189251Ssam	engine_id="pkcs11"
31189251Ssam
32189251Ssam	# select the private key and certificates based on ID (see pkcs11-tool
33189251Ssam	# output above)
34189251Ssam	key_id="4"
35189251Ssam	cert_id="4"
36189251Ssam	ca_cert_id="1"
37189251Ssam
38189251Ssam	# set the PIN code; leave this out to configure the PIN to be requested
39189251Ssam	# interactively when needed (e.g., via wpa_gui or wpa_cli)
40189251Ssam	pin="123456"
41189251Ssam}
42