Add support for domain-suffix-match 802.1x option

Role now supports validating the domain name of the EAP server certificate. Regenerated the CA certificate as the private key for the original CA has been lost. Updated test certificates to include a domain name in the CN so the domain-suffix-match feature can be tested.
2026-01-23 02:15:17 +00:00 · 2020-05-03 19:35:39 +10:00 · 2020-05-03 19:35:39 +10:00 · 939772fdc1
commit 939772fdc1
parent 9d561ea915
10 changed files with 107 additions and 80 deletions
--- a/README.md
+++ b/README.md
@ -463,6 +463,10 @@ SSL certificates and keys must be deployed on the host prior to running the role

    If set to `True`, NetworkManager will use the system's trusted ca certificates to verify the EAP server.

+  * `domain_suffix_match`
+
+    If set, NetworkManager will ensure the domain name of the EAP server certificate matches this string.
+
 Examples of Options
 -------------------

@ -672,6 +676,7 @@ network_connections:
      private_key_password: "p@55w0rD"
      client_cert: /etc/pki/tls/client.pem
      ca_cert: /etc/pki/tls/cacert.pem
+      domain_suffix_match: example.com
 ```

 ### Invalid and Wrong Configuration
--- a/examples/eth_with_802_1x.yml
+++ b/examples/eth_with_802_1x.yml
@ -14,6 +14,7 @@
          private_key_password: "p@55w0rD"
          client_cert: /etc/pki/tls/client.pem
          ca_cert: /etc/pki/tls/cacert.pem
+          domain_suffix_match: example.com

  # certs have to be deployed first
  pre_tasks:
--- a/library/network_connections.py
+++ b/library/network_connections.py
@ -1021,6 +1021,12 @@ class NMUtil:
                connection["ieee802_1x"]["system_ca_certs"],
            )

+            if connection["ieee802_1x"]["domain_suffix_match"]:
+                s_8021x.set_property(
+                    NM.SETTING_802_1X_DOMAIN_SUFFIX_MATCH,
+                    connection["ieee802_1x"]["domain_suffix_match"],
+                )
+
        try:
            con.normalize()
        except Exception as e:
--- a/module_utils/network_lsr/argument_validator.py
+++ b/module_utils/network_lsr/argument_validator.py
@ -747,6 +747,7 @@ class ArgValidator_Dict802_1X(ArgValidatorDict):
                ArgValidatorPath("client_cert", required=True),
                ArgValidatorPath("ca_cert"),
                ArgValidatorBool("system_ca_certs", default_value=False),
+                ArgValidatorStr("domain_suffix_match", required=False),
            ],
            default_value=None,
        )
--- a/tests/files/cacert.key
+++ b/tests/files/cacert.key
@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,B773C37C13C791B1B2F735A7D6D22F1D
+
+KcpCACKK2i/zLDkH/e2bM/3hzyuC7UkSJ32Vn2xvH6ukKzOpt71PJjtzucY3TgB7
+T8fYDJ0OGFfW/97M9OSjY10+wo/Vn+aTTCJWe2Y0+JeoV+bFJq33fuP0SlJI1PIU
+CrxnWhFUM3iaDHjuJ32GaUCkLozKTRdb5KT0BttSdSudnT+9d6zHejCwvYEaGek0
+C3fifoN2xC47P+63UF40KWMP0+j83ZRtHXUUgQ9E0Eqmbag6jTBh2TvV/PiaWlRv
+YCVMapOBs0ktSPPJACygRJcR63MocS9of7aRaPMCDP7HpzrjzKnHqJ+bPteuaE4k
+UmVOlrBsJb4g/zpfT4Ee2waT/mKEiRtNhf8a7DNkc34I50iMqhOojM1zRPtQugO6
+5BGhFeciHCe7RzHvltWJRmLrl+H7Z8wvusxbSQRM5ZT18+wgBkgTb8dA3bmZS0Ws
+JYcd9BN8zbsxETo/IFZ2gFOaVvOymVE5mscRR21RsiBi1vfqjl+pAt4ZrlGwVpxL
+3z3yvT3lAx8Cgeg8dCxrDNb14Xwk+hkBblExLMXsUGCsRXJglk9QVPE0XjKD9XNa
+mZnBHOpAsdPun58PRiaPpC+VgaFBhzPHTyBczCG1sjpkOiTJpGLpgveAq4wOXQGH
+PMcux4ZDARYbJfGXANNqloIO3PHDPuhVmSAJZSMixDd4SLKjT6tALdqIv1BvOLl7
+Ay0y3Vie4oGc4EWjHqQA+r+6CATHHXtIOvWLJQ4/KQa/R+pTp0qDtXdOeHaAZzhv
+BpqvQUouKUyxXlGFZrGUq9l+sFtjLlcKP33Yb2WHg4ct0gAVDIA6SK4rNH6+h/NS
+rFQNOvArTeZgLCaG6htJh68WLF8p6687s4bKNM8niZ5VcsFTvMYPbfF5WdE0l53s
+fZpZBf1v03ZRJYg2V9a0sNPEysaIaTJzs5lFeya78iTF/Epo4GtTHv8sWebVwh/H
+FYINLIcPzzxAvw7a+7ymIsYZphomuEoCCoX85DPPbXfZOb2Bdysfdr7uyRsB480E
+or6+gQxZJWxcO5tMR7+G8EuUgnPMelVNczw3UJHM+sl4Kjh9q3hF4ppWFTIOaPQ/
+BL3qPE/ZxSFC8UcG+QJEbNmPPQLXnpWPUZ3GmyH/+pPUZCkcWanpn0W3chGlJCsW
+spkDMt/dpPtje1q7rfrWCVAYo4AeYzigSuxoyfpBfqcpD6wAssPQmWj4fFr91RW7
+p/iLlACpevyecALrJpU65yGWDvGWlx+dEqvdz7FRUSTkVrted/W3pmro8eDAInWx
+17VM0hHfNE00hwpGaga2CY8q3EC+3kApSE6d8dbBtSzBp4YZsGq+p+Xkj7mTc/rn
+mXJazUSPjNhWooI+0pN2VxB3HRBloNjsQOLaWVcSiv6l3wKl70ZbBjPkikO05k+v
+QXayu3i9RjXvhT974atOqoqCSigc8ROsCYGxgHjwVMU9Spc9i8y6PrgX9ID6yk9f
+9YcJjmtEi6MYh0uXNkx2m6utMjgcuAqP8yfPqeBRK2SOoLuBM9JKP8tjwq4ZBawj
+SuWe82zTRjR2oXMgNy6gBBDGky+W7kNaNw/KksZUxdiNhzeDRbDG8hMJI1HcY4xQ
+-----END RSA PRIVATE KEY-----
--- a/tests/files/cacert.pem
+++ b/tests/files/cacert.pem
@ -1,32 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIFiTCCA3GgAwIBAgIUK0vXQP5fEgyCtfY4pt2yU9bDMlAwDQYJKoZIhvcNAQEL
+MIIDizCCAnOgAwIBAgIUG1DftQ2xyrN+HE+KHLFmKHZnIkcwDQYJKoZIhvcNAQEL
 BQAwVDELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
-CgwTRGVmYXVsdCBDb21wYW55IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yMDAy
-MjgwODUxMzdaFw00MDAyMjMwODUxMzdaMFQxCzAJBgNVBAYTAlhYMRUwEwYDVQQH
-DAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxEDAO
-BgNVBAMMB1Rlc3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDa
-kLkNqQmEWCs/o39iPSlHrnuXvvqQUziGO635w16OeGgix4QY+H7My0uY801/WN2F
-8dzHbpKkFJ3pvFhnbq/vcoUvY/Folb9YoMyjwEJoUiSyZ2n9YiV4HkpC+Y+aFG2P
-IlBcGnRxBV4M35ZNpbvOwSWqgwIgN5Z7ET4nP0P1v5BzQa3FJYdd1nh2YEljGRE+
-aTchVhdIYN4+4YXx1rvzQs4I0Tqr3tGM4zCWTQp34LYnyQMAysXQOnwJsX8/G4Lw
-AtH8cFexdoHft8uL8YHbxV8gDVBpvZSl9kmkX204hozJzsRQzSbuVw6wb2ggaYei
-HdOwORYJfoC6eKOiYJEHczHkkchmbj8qFP1IKUQOPE39W8swO/2j56Qvfv9vBIUw
-4QklSU3CLYpr1jjeHuKuOkSTlFSOyvN6HOxLla/YqdshGwdo8duKz3gr85lJbzHT
-9IfI2r7g8fTwcVcH0DfS7Ku4OXTIqyJw/ZO77hMpF0x6U6GCHxi8I9sGjN0JVCeE
-43/ad3tr9KOlGQuiDR9rz5XkCbdPgaiJ+P3nfO2fMFCUaFOr0lFj4meCKC49+sdw
-CDDpW0Cqkm142co1/J64YNw/z2A3ESJrckP9NCOb6zkCZS6j+T2Nir0fI6Ix1uOX
-SHKinD4KT0WgOrJLxlZdLxsCnHp57G9PQqK8RXU5VwIDAQABo1MwUTAdBgNVHQ4E
-FgQUOJF6JV8Q3HPuOp1UZo+KyYcddgwwHwYDVR0jBBgwFoAUOJF6JV8Q3HPuOp1U
-Zo+KyYcddgwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAUQ3f
-e6EiWU/TBewakD/yrNzMxuqOS6ptDq6OPYolpdrkCogtUvL6wga7PVgEb8v+kBD1
-A0C4eA6Q+M/xOiFKSiErckQzEJggxN+C3N4rRS7F2fnMUjWjwApMxW/zPyTIGKDP
-rxRNIJyfjuvxv8XnugDNjdg496beYlhOzvCVDO6hxt/V83NZBbcXY2GBUKnuldmd
-21x7g/coajPuocWgK2s4OWU251ujCCggru5hRsxm3Ag68ZWCIqYu/rRN0z1V31OI
-xc5OQsrkdrDez/iZMrw6N/rK8Xez0zqXU7v32gou7FoZxqx1yOZtkBMBsSXf/Fue
-28maCNsE4S/HRcQQv91F/e/QtpfLmRBa6FIslBh334YzBKyuD6QLjMraDO3X8DjD
-3i434Fgf5v7jttfEOrRKN7Yvb+IXZ25UhVGWUY1CsGQ57ZdUwwuD/bdeZLLAhl9X
-r8PhHQ5YJV6NcGXMsvuvARlPILXLpAsP3IpXQq5l0GeHuRV2hwqiIV//qcgIz5qb
-B7voqbr+2k652OOsG/tRIOvZlJBmdPkq+Beeutvx0j1VKNflBnxDMMO6zyhLVdO2
-RB8Lx2IEM8KA4p1IhnEi7g3mtQsu6IlY4Qfuje8rE0xMY28rxr977sBvvdsfkeUd
-O/Ut71oKxQ/z0H/Iy1BiBoUzuK0XL079lou4ft0=
+CgwTRGVmYXVsdCBDb21wYW55IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAgFw0yMDA1
+MDMwNTI2MTFaGA8yMjk0MDIxNTA1MjYxMVowVDELMAkGA1UEBhMCWFgxFTATBgNV
+BAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEQ
+MA4GA1UEAwwHVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMGAmO9ugnI/jaw4qNTyh/O65BNEvzOIwLU0mo3wTOSiakoOuC0gqO4S+0FOmC6v
+ceoArS+GllowzrgnnmM4EH9hqmiLeFKa4Z2graIm2W86ayN5k3psiMolONOZ8y0r
+nAMj84FifDYIOHoYbKUeN5BDsotrHbrZ/PZhlZgN1ou3gapXqM12TkXdzaj//vRd
+CORjwO1ubpzb17PFUNOLWaDf3ohfoMCG08UkGwIGK0mouJ1yflda27MCcLzmDxV8
+4dfI//R/6WtN1hzWSW9ae99VwSjlACH2go/0fDD+K9jvKkEVRZAqBEnM3voQCOah
+P9NMJ30R9Sh8B/D2KXGyIU0CAwEAAaNTMFEwHQYDVR0OBBYEFDUKdAwDiWpUpayU
+mjiWEcMcXjQdMB8GA1UdIwQYMBaAFDUKdAwDiWpUpayUmjiWEcMcXjQdMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKEyNiDawDJeaauDUmHgdNlG
+WuBlvn4Lph/+J27njmAoIbKv3aDw+kndxI02ryCZTJOm8a1NqHfkNct4ny+Cj4cz
+rNoZIyMucVoKGgCMYb5zwYtW3W7RshUZoBdQDBLiIuktNsWTyqss3yVPPq8Q1JJY
+89dtjCNydL6dunFSrGjVJ2K5HaTyidti2IN9g2Sbxmxgoz71ZP09xmBxaY+O738M
+z5nRdrb2DX0flmv5pcqSzn7063t9FGKOp2bF9NTpcEWkultsCOvsVcsO4X/18L4J
+3W8FVltyCvunv4GQecWqlNHTRT+QI2h48EVEzHQnOGEe9q1C8WVGeQ3cZXMei8k=
 -----END CERTIFICATE-----
--- a/tests/files/client.pem
+++ b/tests/files/client.pem
@ -1,27 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIEqDCCApCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCWFgx
+MIIDrDCCApSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCWFgx
 FTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
-IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yMDAyMjgwOTQ0MjlaFw00NzA3MTUw
-OTQ0MjlaMF0xCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
-BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGTAXBgNVBAMMEFRlc3QgQ2xpZW50
-IENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5CKlKT37St3+o
-EwNGIXNXy8OSxq55WmF6MYSCJCGq1QOCNz+i3+jszx8VULrBq7aLFOcQwe5leCgE
-4oBPFfzTkWCASwssv3w6c3sDJNMo60dV8iaArd8nVj2X3n7ae4laGZpqfS+vdgyn
-rPeVJr6GWGFNjH+Yi9NmGj8rf4wRODwMR+VBRKSECWsVIRqGvY+7/IROvxz7y8pM
-OdkMu9wXLK4O0DP5yURBRWd1YlClClJV9H3jEq7NqPXSZQD1S2/hGRs0nvz8qB1N
-toYg5UtSdgIlSDx3f9hXto0KqtocEBn1qg9Lh2XjopcLeqloQEV8poX5Fw9JVS1z
-h4JDviQrAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
-U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBShQJXhPekXBpAdhKUK
-vwip1379NzAfBgNVHSMEGDAWgBQ4kXolXxDcc+46nVRmj4rJhx12DDANBgkqhkiG
-9w0BAQsFAAOCAgEAzY1ifNUYYVvWt0vR+gq37rLG5QZvlt5/pkVDYHgolChZCDmD
-NWTH5MR/T+L+akFzbuIeOfQzTQMW/8fm9lHf6/e2coDtzLDKkukVCKIGZgrkyF9N
-wT1xnvqCAERw0WfGFJn7auhIrExqgsrJbAorUMnVZAdrBosDWGMULNquyZMfVvAE
-VXDDqjQIXe3AMA2yOgMEWoBVQMFl33BTz/NlGaE15wR8OsYRAs8/8nJewCLg4f6a
-n2wz1/JIZI0ztTCO1cMrmI8i7TYIUlHQMK1QhF0aEFV1yFj+QDEc0iiIZu+i6O45
-K1TjElXIr4MrEzdI3A5ZIN+VZ7mtzq/2CIZTTir94XLcQ3BvwYJssMWxAPQb6lRA
-4k+7xifr3V7u7glMxpilIxV5CpZZ4anqRMzFbJa2MOmyAXZxk7SpcD2/MugHfJiL
-TWfwFcClRogqXx/loEgzXExV1MrYKQBrqMlHB5eZ77M+PFpMhVh7yY5jjWT0giOM
-MXFFKL8sI3VZdT9VcKZLgKpl4KWDh+cldyJdNNCDA29gtCRO+N+d4CAl6dK6nRrI
-lL81UTEexmaCL9YjLBs70/HBKCkUDOmtAR7gJ01S4Kogv4gIepCAcGmVItzF+6fw
-YsbkynxXIHQcODaB2d7FFzP0QJkc6pSMIi7ioO7a+aYx8NpIDYIxxLzF39Q=
+IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAgFw0yMDA1MDMwODUxMTdaGA8yMjk0MDIx
+NTA4NTExN1owXzELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEc
+MBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEbMBkGA1UEAwwSY2xpZW50LmV4
+YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuQipSk9+
+0rd/qBMDRiFzV8vDksaueVphejGEgiQhqtUDgjc/ot/o7M8fFVC6wau2ixTnEMHu
+ZXgoBOKATxX805FggEsLLL98OnN7AyTTKOtHVfImgK3fJ1Y9l95+2nuJWhmaan0v
+r3YMp6z3lSa+hlhhTYx/mIvTZho/K3+METg8DEflQUSkhAlrFSEahr2Pu/yETr8c
+8vKTDnZDLvcFyyuDtAz+clEQUVndWJQpQpSVfR94xKuzaj10mUA9Utv4RkbNJ78
+/KgdTbaGIOVLUnYCJUg8d3/YV7aNCqraHBAZ9aoPS4dl46KXC3qpaEBFfKaF+RcP
+SVUtc4eCQ74kKwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
+cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUoUCV4T3pFwaQ
+HYSlCr8Iqdd+/TcwHwYDVR0jBBgwFoAUNQp0DAOJalSlrJSaOJYRwxxeNB0wDQYJ
+KoZIhvcNAQELBQADggEBALXhDSFirybmhZXcHuSqXn0tLp6mZintW+91B81bDUtO
+FuCrWqXwV0iensm94mOeykGIR/r0Y0Y4uqOHpIznY+q5NIek0qIdirbdr5mCXK5y
+fxXVIMM14GMTyIR9A4+IZaRkFbcrVnBhOdUpTQjp88jlzDr5jdyjTEnOZyOJH9kL
+Qpd417iB4X5TxuQ2xe5EgHOCb8OfxO0a2BzlwtfUQAkz2v+h0RlVBwQFcE2NCJ3z
+hvF3AWGl+5pkfWpY6d+1EPI3+82C6uRf8be/WKHPKu3i0irrVtZdMsKNkRiD5UUK
+S4Y0WnoVu/DWSR8h9iPGSFKMkUcjFI8hgc4YQ6G4Odc=
 -----END CERTIFICATE-----
--- a/tests/files/server.pem
+++ b/tests/files/server.pem
@ -1,27 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIEqDCCApCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCWFgx
+MIIDrDCCApSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCWFgx
 FTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
-IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yMDAyMjgwOTA2MTlaFw00NzA3MTUw
-OTA2MTlaMF0xCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
-BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGTAXBgNVBAMMEFRlc3QgU2VydmVy
-IENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFwLjgCZ0pAEPB
-HrtoxM+qY27od+Np1mqwPbFmPlcxV2fiRquqxVghsow6r5JHOCblpn+TNAgKlckx
-d+PXpwgPoELE15x8lU5+8/IjSQJRsx/VhmJEbYWYHZWwbwBUMZaafhrtKZfJoIDR
-pzx2SKmeUIXad10uFwFqT8uz6GNFg3tVIsu/E7wpPjaK+G4/1iAZjUrli1p73Qfg
-cGIrFueTA5TGL3ChsRFJdIuBvh765fxZGurEghiYcX4bO/mSKVEWs/AoGajeJ1U+
-uqOxyFl7Sjyb+ds2jdLNYYj191efT4qBmhB0bdmLFfq46GsKoneImaceSnhpcovl
-jsmZf8UVAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
-U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTHtNcLFSKihvvmv/WQ
-zKkJjL0yPTAfBgNVHSMEGDAWgBQ4kXolXxDcc+46nVRmj4rJhx12DDANBgkqhkiG
-9w0BAQsFAAOCAgEALDrMv9TBWjVMeBUaRiaF+CDVD+Ng1Frzp37tSLbBmfcViaPl
-2vQ23wDTc0SU+bamfyrIF0IRDDNM6cUkuC306+18AtXcz1taPFu6mWhtz+j4Hncm
-EpMSUxvmTvr9dSUuEdX74v7tA4YqThzolEbsedAr8oe6RBjntAKugG9035z/mWuO
-WNw8P3QI6eSX/APzFON/9dt9fkKU2piKgDQYvNEtCPqp1Tr2MkdRzfvyL/ZGR5yn
-kuSRZLSFJyBHnnjCjrK40nt0ooVFXTpqDb8gEFn3DOLXHWLy6tWAQi6fKBQWai7v
-8Mz7OyQHEwEsdM3bLWVJwe4tzJA2Ct22HsHWixuEEtQFwnuGm/tEOJ3HwVPjn5QP
-2ut8yH5Ij45XeBTxkMiKie/Eb43ob8o30jCUtGuM48azyZ+byaIqVYZ/DX8NQAdC
-EGRA1nWHmr9nFvcpa98kjiKcQtb7Nb/Ewq5ys/mYAwAs3yD9FNt+ujb1/y9PLN5Q
-+NkcFrPuCmIj5c3jOi0AwPD+WuTHBwJ3D7+2gUByVYf6GravI6N6uXEjOD2/Wcl0
-TtjlhiWvMK9bXu2F4FBLc+GXrawiG4aTNmi278bTSF6qIxrN5+A5JRU7eUtbCnpY
-piA3Y/2Pu8YoM3coGWqtVfFddJr1raQ5LHjxIfDUd0kKPbfpjlaaa3aJQdg=
+IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAgFw0yMDA1MDMwODUxMzBaGA8yMjk0MDIx
+NTA4NTEzMFowXzELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEc
+MBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEbMBkGA1UEAwwSc2VydmVyLmV4
+YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxcC44Amd
+KQBDwR67aMTPqmNu6HfjadZqsD2xZj5XMVdn4karqsVYIbKMOq+SRzgm5aZ/kzQI
+CpXJMXfj16cID6BCxNecfJVOfvPyI0kCUbMf1YZiRG2FmB2VsG8AVDGWmn4a7SmX
+yaCA0ac8dkipnlCF2nddLhcBak/Ls+hjRYN7VSLLvxO8KT42ivhuP9YgGY1K5Yta
+e90H4HBiKxbnkwOUxi9wobERSXSLgb4e+uX8WRrqxIIYmHF+Gzv5kilRFrPwKBmo
+3idVPrqjschZe0o8m/nbNo3SzWGI9fdXn0+KgZoQdG3ZixX6uOhrCqJ3iJmnHkp4
+aXKL5Y7JmX/FFQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
+cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUx7TXCxUioob7
+5r/1kMypCYy9Mj0wHwYDVR0jBBgwFoAUNQp0DAOJalSlrJSaOJYRwxxeNB0wDQYJ
+KoZIhvcNAQELBQADggEBAKtTPl4WJuxfMeut+aEw7vVRU+z5A7D35nlZPQI5nBTt
+ybgqMNIjdcYT/JwT2GhbzcObc3STNEo582clVN9gTpK7mYKzBBf69nTsWeZzPuNt
+JQbVbK4RHwFvyosJcw6NfzxE9OxeXhTcKQDQSGKP338sAWoapEZlXNrYOIJac6HX
+Xo3dQqx/8BdO9hSv1u0/zClnL5lbk1RBylS24wIe8wLoiy4ftLjL4aOYOlonj7HU
+hknTY6L30oOpG5VtH8SEv3xveH/5GNKwfoGltTzemCgVfb9IhyVTLB3tIv8OW6k1
+y3+YEzVniVB4gtJ5UniLN1V4lBf6t7MGn0ybAEbOxPI=
 -----END CERTIFICATE-----
--- a/tests/playbooks/tests_802_1x.yml
+++ b/tests/playbooks/tests_802_1x.yml
@ -54,8 +54,8 @@
                persistent_state: absent
                state: absent
        - name: >-
-            TEST: 802.1x profile with unencrypted private key and
-            system ca certs
+            TEST: 802.1x profile with unencrypted private key,
+            domain suffix match, and system ca certs
          debug:
            msg: "##################################################"
        - name: Copy cacert to system truststore
@ -86,6 +86,7 @@
                  private_key_password_flags:
                    - not-required
                  system_ca_certs: True
+                  domain_suffix_match: example.com
        - name: "TEST: I can ping the EAP server"
          shell: ping -c1 203.0.113.1
      always:
--- a/tests/unit/test_network_connections.py
+++ b/tests/unit/test_network_connections.py
@ -1956,6 +1956,7 @@ class TestValidator(unittest.TestCase):
                        "client_cert": "/etc/pki/tls/client.pem",
                        "ca_cert": "/etc/pki/tls/cacert.pem",
                        "system_ca_certs": False,
+                        "domain_suffix_match": None,
                    },
                    "mtu": None,
                    "name": "eth0",
@ -1987,7 +1988,8 @@ class TestValidator(unittest.TestCase):

    def test_802_1x_2(self):
        """
-        Test private key without password and system_ca_certs
+        Test 802.1x profile with unencrypted private key,
+        domain suffix match, and system ca certs
        """
        self.maxDiff = None
        self.do_connections_validate(
@ -2027,6 +2029,7 @@ class TestValidator(unittest.TestCase):
                        "client_cert": "/etc/pki/tls/client.pem",
                        "ca_cert": None,
                        "system_ca_certs": True,
+                        "domain_suffix_match": "example.com",
                    },
                    "mtu": None,
                    "name": "eth0",
@ -2051,6 +2054,7 @@ class TestValidator(unittest.TestCase):
                        "client_cert": "/etc/pki/tls/client.pem",
                        "private_key_password_flags": ["not-required"],
                        "system_ca_certs": True,
+                        "domain_suffix_match": "example.com",
                    },
                }
            ],