Default Certificate Expiration Time

Alan Buxey alan.buxey at
Tue Jun 5 19:38:23 CEST 2018

>Once the initial EAP testing has been performed, it is time to create the
real certificates to use in your production network. These certificates
will be configured on the end hosts that will be >doing PEAP, TTLS, or
EAP-TLS authentication

that would usually mean using your local CA and getting a server cert
signed by that and then using that on the server..... or updating the basic
stuff that is in ca.cnf/server.cnf etc to be proper and relevant to your
needs.  the provided scripts just generate quick 'getting started' certs
for testing/early phase that are only valid for 30 days.

and by the way, your clients are not configured correctly if they happily
just install new certificates when prompted...they should be properly
configured in their settings to only trust
a particular CA and radius server cert name (usually use a deployment tool
(free or commercial) to do that


On 5 June 2018 at 17:03, Matt Zagrabelny <mzagrabe at> wrote:

> On Tue, Jun 5, 2018 at 10:51 AM, Mitch Sullivan <
> mitch.sullivan at>
> wrote:
> > Is it possible for me to change the certificates so they last a year?
> >
> >
> Tweak the
> default_days            = 365
> in
> certs/ca.cnf
> -m
> -
> List info/subscribe/unsubscribe? See
> list/users.html

More information about the Freeradius-Users mailing list