How do I generate the certificates for EAP-TLS Wi-Fi?

I want to connect a Linux machine to WPA2 Enterprise Wi-Fi (that I manage). The certificates I created with OpenSSL work well with Android and iOS devices, but I can't figure out what types of certificates are expected by wpa_supplicant. Basically, I have a ca.pem, and, for a given device, the following files are being generated: - demo.crt - demo.csr - demo.key - demo.p12 It looks like wpa_supplicant can work with either a file containing both the public and the private certificate, as well as two files. Originally, I was using two files: - demo.key - demo.pem, created by running openssl pkcs12 -in demo.p12 -out demo.pem -clcerts. wpa_supplicant.conf was configured like this:

network={
    ssid="HelloWorld"
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP
    eap=TLS
    identity="demo@example.com"
    ca_cert="/etc/ssl/private/ca.pem"
    client_cert="/etc/ssl/private/demo.pem"
    private_key="/etc/ssl/private/demo.key"
    private_key_passwd=...
}

The authentication fails with the following error: > OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag If I remove client_cert and use only private_key, pointing to the .pem file, the error is still the same. If I point it to .p12, the error is: > OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0) Debian's documentation tells that the PEM should be created from a .pfx. When I do that:

openssl pkcs12 -export -out demo.pfx -inkey demo.key -in demo.crt -certfile ca.crt
openssl pkcs12 -in demo.pfx -out demo.pem -clcerts

the original error is back: > OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag How exactly should I generate the certificates for wpa_supplicant?