Recently, I had to connect to a hidden WiFi network using EAP-TLS authentication. When configured via the NetworkManager UI on Ubuntu, it would work. However, on Debian Unstable running GNOME 42 and on Arch, the same process didn’t work. The problem seems to be an empty configuration line for domain-suffix-match that gets created. To solve it, you can remove domain-suffix-match using nmcli:
$ nmcli connection modify CorpSSID 802-1x.domain-suffix-match ""
Alternatively, you can configure the WiFi network directly with nmcli without setting the problematic property:
nmcli connection add type wifi ifname wlp0s20f3
con-name CorpSSID
802-11-wireless.ssid CorpSSID
802-11-wireless-security.key-mgmt wpa-eap
802-1x.eap tls
802-1x.identity guyru
802-1x.client-cert /absolute/path/wifi-certs/signed-certificate.cer
802-1x.private-key /absolute/path/wifi-certs/private.key
It’s important to use absolute paths for both the client certificate and the private key.