Can I use two or more freeradius server certificates for the same virtual site?

work vlpl thework.vlpl at
Thu Nov 1 12:07:46 CET 2018


Certificates have limited lifespan. And when certificate will expire,
there is a probability that new certificate will not be trusted by
clients with old configuration. I am searching the way to smooth it.
One of the ideas is to configure freeradius to use two server
certificates. They will have different expiration date. So the old
clients will be able to use old certificate and the new clients or
clients with updated configuration will be able to accept new server

I tried to place two different eap modules one by one like


In hope that this will work like it works with modules with different
types (chap -> mschap -> pap). If client does not accept server
certificate from the first module, then try to send certificate from
the second module. But eap module is not simple and is called multiply
times (Challenge response) to setup eap session, thus this approach
does not work.

And in radius request I don't have any attributes that could help me
to narrow request to the specific eap module.

So, is it possible to use two or more freeradius server certificates?
Or maybe somebody have ideas how to configure eap modules to do it.


More information about the Freeradius-Users mailing list