How to configure Network Manager for EAP-TLS using PKCS11 Private Key with PIN

Solution Verified - Updated -

Issue

  • How to configure Network Manager for EAP-TLS using PKCS11 Private Key with PIN
  • We would like to move from file cert to smart card cert to increase security and usability. The below connection works but the problem is that I can not understand how to ask for the PIN. Any 802-1x.private-key-password is ignored and NetworkManager does not ask for the PIN. To hard code it like I have done here is not a viable solution:
nmcli con add type wifi ifname wlan0 con-name MyConnection ssid MySSID \
    connection.permissions "user:$USER" \
    connection.autoconnect-priority 50 \
    802-11-wireless-security.key-mgmt 'wpa-eap' \
    802-1x.eap 'tls' \
    802-1x.identity 'username@example.com' \
    802-1x.ca-cert '/etc/pki/ca-trust/source/anchors/MyCert.pem' \
    802-1x.client-cert "pkcs11:model=Model;manufacturer=Manuf;serial=123;token=ABC;id=ABC;object=ABC" \
    802-1x.private-key "pkcs11:model=Model;manufacturer=Manuf;serial=123;token=ABC;id=ABC;object=ABC;pin-value=1234" \
    802-1x.private-key-password-flags 4

Environment

  • Red Hat Enterprise Linux 8.4
  • NetworkManager
  • Wifi with EAP-TLS using PKCS11 Private Key
  • Smart Card certificate and PIN

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In