Installing a .crt to use wifi as client

Hi there everyone, I am new here and fairly new to OpenWrt.
I have OpenWrt installed on a raspberry pi which I use the wifi on the pi to connect into an wifi SSID to give me web connectivity and then have my own little private network hanging off the pi network port. This allows me to rock up to a location connect to the wifi and then the devices on my own network have internet access. This works well. However I am going into a venue that in order to give me wi fi access requires me to downs load a .crt. My question is how/can I do this with OpenWrt....

Thanks in anticipation

What .crt, source ?

The surfprotect.crt file is being supplied by the venue and is sourced by Exa Networks LTD

You’re not really clear on what you want. Maybe TLS encryption? https://openwrt.org/docs/guide-user/services/tls/start

Can you sow encryption modes on their AP in iw scan ?

Are we discussing 802.1x EAP-TLS?

Maybe this: https://github.com/ouaibe/howto/blob/master/OpenWRT/802.1xOnOpenWRTUsingFreeRadius.md

Normally I just have to connect to and SSID and I am off to the races. This venue has given me a whole set of instructions for installing this crt on Windows, Mac, Ipad and Android which then allows me to connect their SSID and put in a password to connect. What I want to do is install the crt so when I connect to the wifi SSID it will allow me to connect and type in the password. I am guessing this is just an extra layer of security. So simply can I do this and if so how do I install the crt.

And? Do you expect us to hatch eap client parameters from the thin air?

place ctr file in /etc/ssl/certs

then in wifi menu connect to EAP access pint (scan → click → enter parameters)

replace wpad-basic-mbedtls for wpad-mbedtls if the mode is not supported right away.

ok I will try an put the cert in that directory, hopefully it should be that simple

Thanks

There ars two possibilities here. Both are within the realm of what is commonly called Enterprise Authentication, which requires thd full wpad package instead of the stripped down wpad-basic which is default.

The more common EAP-TTLS-PEAP system has a unique username and password for each user, but the certificate is the same for everyone in the system. As you said, the certificate is an extra layer of security to prevent you from connecting to a fake access point. Such a fake AP will obtain your username and a hashed version of your wifi password and could potentially crack it.
Verifying the APs certificate against the published CA certificate is optional but highly recommended.

The less common EAP-TLS system, in addition to AP certificate as described above, issues a unique certificate with private key to every user. Posession of the user certificate's private key confirms the user's identity and allows access. Passwords are typically not used. This is found mostly in high security environments since it is more complicated to administer.

OpenWrt supports both, though results may vary on a RPi built in radio since those chips are not fully supported with open-source.

Worth trying armbian network manager first as PoC

Thanks guys will try but I will have limited access till the day of use. its not critical just means I wont be able to stream the event but I can record it and post later.....appreciate its a bit of a random how long is piece of string type question and I appreciate the suggestions.