Client Certificate Requirements for WPA3 Profiles

Make sure to follow the client certificate requirements for WPA3 profiles and use the correct digital signature algorithm.

WPA3-Enterprise 192-bit uses EAP-TLS authentication with the following TLS ciphers:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE and ECDSA using the 384-bit prime modulus curve P-384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE using the 384-bit prime modulus curve P-384

RSA ≥ 3072-bit modulus

To comply with the above requirements, the client certificate should use one of the following digital signature algorithms:

ECDSA: Elliptic curve digital signature algorithm

RSA encryption with a minimum key size of 3072 bits

Our Zebra devices support:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: This is mandatory

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: This is optional

There is no fallback mechanism from one cipher to another.

For the mandatory TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher, the certificates must be:

Key: elliptic curve with P-384 curve i.e., ASN1 OID: secp384r1, NIST CURVE: P-384

Signature algorithm: ecdsa-with-SHA384

For the optional TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher, the certificates must be:

Key: use RSA with 3072 bits or more

Signature algorithm: sha384WithRSAEncryption

The cipher rules apply to all certificates starting from the CA certificate, any intermediate certificates (if used) and up to the client and server certificates.

This means that 192-bit mode does not allow weaker CA certificates to sign stronger server/client certificates or mixing RSA CA certificates to sign EC certificates.