I ended up talking to the organization's IT and resolved the issue easily.
My mistake consists of several missteps:
- including the wrong certificate
- not including the right root certificate
- not ordering the certificates in the right order
The "CA certificate" file needs to be a single text file (PEM format)
containing a list of certificates, chained in order of trust (the least
trusted first, the most trusted last).
The RADIUS certificate does not need to be included (and should not be).
The RADIUS certificate also has the shortest valid lifetime.
We have to include the upstream certificates until the root
certificate in order for this approach to work.
In my case, the order of trust is like this (from least to most trusted):
RADIUS cert -> intermediary cert -> root cert
Warning: Your case may be very different.
The IT guy told me that my root certificate is "GlobalSign
Root R1", which has the following serial number:
04:00:00:00:00:01:15:4b:5a:c3:94
I would not have been able to locate this without his help.
I downloaded the root certificate from the GlobalSign website (see below),
then converted the binary certificate to PEM format:
$ openssl x509 -inform der -in Root-R1.crt -out Root-R1.pem
then chained the certificates as root
# cat globalsign_intermediary.pem Root-R1.pem > /etc/NetworkManager/certs/work/all-certs.pem
and included the full path of all-certs.pem in the NetworkManager's
connection setting (via the GUI or editing the text file that I listed in
the question).
Now, restart NetworkManager -- in my debian box it means issuing:
# service networkmanager restart
Once restarted, I was able to verify the AP's authenticity as indicated in syslog:
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2'
Jul 8 16:03:32 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/XXXXXX (details removed)'
Jul 8 16:03:33 wirawan1 wpa_supplicant[3638]: EAP-MSCHAPV2: Authentication succeeded
Jul 8 16:03:33 wirawan1 wpa_supplicant[3638]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
Jul 8 16:03:33 wirawan1 wpa_supplicant[3638]: wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
More gory details
For the interested ones, the intermediate certificate has the following subject:
subject= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
This "organization" CA should use the R1 key, as shown here:
https://support.globalsign.com/customer/portal/articles/1426602-globalsign-root-certificates
Best Answer
Had the same problem. You need to connect via "Connect to Hidden Network..."