Client Certificate Requirements for WPA3 Profiles
Client Certificate Requirements for WPA3 Profiles

Client Certificate Requirements for WPA3 Profiles

Make sure to follow the client certificate requirements for WPA3 profiles and use the correct digital signature algorithm.
WPA3-Enterprise 192-bit uses EAP-TLS authentication with the following TLS ciphers:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • ECDHE and ECDSA using the 384-bit prime modulus curve P-384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • ECDHE using the 384-bit prime modulus curve P-384
    • RSA ≥ 3072-bit modulus
To comply with the above requirements, the client certificate should use one of the following digital signature algorithms:
  • ECDSA: Elliptic curve digital signature algorithm
  • RSA encryption with a minimum key size of 3072 bits
Our Zebra devices support:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: This is mandatory
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: This is optional
  • There is no fallback mechanism from one cipher to another.
For the mandatory TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher, the certificates must be:
  • Key: elliptic curve with P-384 curve i.e., ASN1 OID: secp384r1, NIST CURVE: P-384
  • Signature algorithm: ecdsa-with-SHA384
For the optional TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher, the certificates must be:
  • Key: use RSA with 3072 bits or more
  • Signature algorithm: sha384WithRSAEncryption
The cipher rules apply to all certificates starting from the CA certificate, any intermediate certificates (if used) and up to the client and server certificates.
This means that 192-bit mode does not allow weaker CA certificates to sign stronger server/client certificates or mixing RSA CA certificates to sign EC certificates.