From 21daac55edf9642d7c51f9c063ee0ea7f8f59ba9 Mon Sep 17 00:00:00 2001 From: Chaitanya Tata Date: Tue, 10 Jun 2025 14:44:05 +0000 Subject: [PATCH] doc: wifi: Add certificate generation instructions Add clear, step-by-step guide for generating test certificates using FreeRADIUS scripts, including file renaming and usage notes. Signed-off-by: Chaitanya Tata --- doc/connectivity/networking/api/wifi.rst | 48 ++++++++++++++++++++++++ doc/releases/release-notes-4.2.rst | 1 + 2 files changed, 49 insertions(+) diff --git a/doc/connectivity/networking/api/wifi.rst b/doc/connectivity/networking/api/wifi.rst index ad7825b5ace..f02362d9668 100644 --- a/doc/connectivity/networking/api/wifi.rst +++ b/doc/connectivity/networking/api/wifi.rst @@ -115,6 +115,54 @@ Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or When using TLS credentials subsystem, by default the volatile backend i.e., :kconfig:option:`CONFIG_TLS_CREDENTIALS_BACKEND_VOLATILE` is chosen. When using the volatile backend, the certificates are stored in RAM and are lost on reboot, so the certificates need to be installed again after reboot. As an alternative, the PS (protected storage) backend i.e., :kconfig:option:`CONFIG_TLS_CREDENTIALS_BACKEND_PROTECTED_STORAGE` can be used to store the certificates in the non-volatile storage. +How to Generate Test Certificates Using FreeRADIUS +-------------------------------------------------- + +The test certificates in ``samples/net/wifi/test_certs/rsa2k`` are generated using the `FreeRADIUS raddb/certs scripts `_. You can generate your own certificates for testing as follows: + +1. **Prerequisites** + - Install OpenSSL and GNU Make. + - Download the `FreeRADIUS raddb/certs directory `_. + +2. **Edit the Makefile** + In the ``raddb/certs`` directory, edit the ``Makefile`` to add ``-nodes`` to the OpenSSL commands for server and client keys. This ensures the private keys are not password-protected (Zephyr Wi-Fi shell does not support private key passwords): + + :: + + $(OPENSSL) req -new -out server.csr -keyout server.key -nodes -config ./server.cnf + $(OPENSSL) req -new -out client.csr -keyout client.key -nodes -config ./client.cnf + +3. **(Optional) Edit the .cnf files** + Customize ``server.cnf`` and ``client.cnf`` as needed for your environment. + +4. **Generate Certificates** + Run the following commands in the ``raddb/certs`` directory: + + :: + + make destroycerts + make server + make client + +5. **Rename Files for Zephyr** + Match the filenames used in Zephyr samples: + + +-------------------+---------------------+ + | FreeRADIUS Output | Zephyr Sample Name | + +===================+=====================+ + | ca.pem | ca.pem | + | server.key | server-key.pem | + | server.pem | server.pem | + | client.key | client-key.pem | + | client.pem | client.pem | + +-------------------+---------------------+ + +6. **Copy the files** + Place the renamed files in your Zephyr project's certificate directory (e.g., ``samples/net/wifi/test_certs/rsa2k``). + +.. note:: + These certificates are for testing only and should not be used in production. + API Reference ************* diff --git a/doc/releases/release-notes-4.2.rst b/doc/releases/release-notes-4.2.rst index 065eda4c603..b2dcd604aab 100644 --- a/doc/releases/release-notes-4.2.rst +++ b/doc/releases/release-notes-4.2.rst @@ -189,6 +189,7 @@ New APIs and options * Wi-Fi * :kconfig:option:`CONFIG_WIFI_USAGE_MODE` + * Added a new section to the Wi-Fi Management documentation (``doc/connectivity/networking/api/wifi.rst``) with step-by-step instructions for generating test certificates for Wi-Fi using FreeRADIUS scripts. This helps users reproduce the process for their own test environments. * Power management