Recently, I had to connect to a hidden WiFi network with an EAP-TLS authentication. When configured via the NetworkManager UI on Ubuntu, it would work. However, on Debian Unstable running Gnome 42 and on Arch, the same process didn’t work. The problem seems to be an empty configuration line for domain-suffix-match that gets created. To solve it, you can remove the domain-suffix-match using nmcli:
$ nmcli connection modify CorpSSID 802-1x.domain-suffix-match ""
Alternatively, you can configure the WiFi network directly with nmcli without setting the problematic property>:
nmcli connection add type wifi ifname wlp0s20f3 \
con-name CorpSSID \
802-11-wireless.ssid CorpSSID \
802-11-wireless-security.key-mgmt wpa-eap \
802-1x.eap tls \
802-1x.identity guyru \
802-1x.client-cert /absolute/path/wifi-certs/signed-certificate.cer \
802-1x.private-key /absolute/path/wifi-certs/private.key
It’s important to have absolute paths to both the client certificate and the private key.