How to configure Network Manager for EAP-TLS using PKCS11 Private Key with PIN

Solution Verified - Updated -

Issue

  • How to configure Network Manager for EAP-TLS using PKCS11 Private Key with PIN
  • We would like to move from file cert to smart card cert to increase security and usability. The below connection works but the problem is that I can not understand how to ask for the PIN. Any 802-1x.private-key-password is ignored and NetworkManager does not ask for the PIN. To hard code it like I have done here is not a viable solution:
nmcli con add type wifi ifname wlan0 con-name MyConnection ssid MySSID \
    connection.permissions "user:$USER" \
    connection.autoconnect-priority 50 \
    802-11-wireless-security.key-mgmt 'wpa-eap' \
    802-1x.eap 'tls' \
    802-1x.identity 'username@example.com' \
    802-1x.ca-cert '/etc/pki/ca-trust/source/anchors/MyCert.pem' \
    802-1x.client-cert "pkcs11:model=Model;manufacturer=Manuf;serial=123;token=ABC;id=ABC;object=ABC" \
    802-1x.private-key "pkcs11:model=Model;manufacturer=Manuf;serial=123;token=ABC;id=ABC;object=ABC;pin-value=1234" \
    802-1x.private-key-password-flags 4

Environment

  • Red Hat Enterprise Linux 8.4
  • NetworkManager
  • Wifi with EAP-TLS using PKCS11 Private Key
  • Smart Card certificate and PIN

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content