Você pode usar o Wireshark para descarregar o handshake e, em seguida, converter os dados binários para o PEM com o openssl, como sugerido por @grawity em um semelhante pergunta no superusuário:
Sadly, wpa_supplicant doesn't have an option to dump the certificates even in debug mode. (I'll update this if I find a better way.) You can still monitor the actual EAPOL authentication process, though. First, install Wireshark.
While disconnected, bring the interface up manually and start a capture on it:
$ sudo ip link set wlan0 up $ wireshark -ki wlan0 &
Start wpa_supplicant and soon you'll see the TLS handshake:
The server will send its certificates immediately after ServerHello. Select the first such packet, then dig into:
802.1X └─Extensible Authentication Protocol └─Secure Sockets Layer └─Handshake Protocol: Certificatte └─Certificates
Right-click the first instance of "Certificate (stuff)" and choose "Export selected packet bytes". Wireshark will save it as a file, in binary DER format. Repeat this for all other certificates. The topmost one (RADIUS server's) has information that you can configure in
altsubject_match
; the last one (root CA) should be given to wpa_supplicant asca_cert
.Now you have a few
*.crt
or*.der
files in binary DER format. Convert them to PEM "text" format:openssl x509 -inform DER < mycert.der > mycert.pem
(If your wpa_supplicant is using OpenSSL as the TLS handler, you must give it the "root CA" certificate; giving it the server's certificate won't work.
Note that it's also possible that the last certificate seen in Wireshark won't be of a root CA, but only issued by one of the root CAs in your
/etc/ssl/certs
directory... If that's the case, be sure to setaltsubject_match
as well – using public CAs would be insecure otherwise, since 802.1X unfortunately does not know what "hostname" to verify against, the way e.g. HTTPS would.)