hi, in the TLS RADSEC configuration, if I want to use OpenSSL for external verification (which i cant FULLY do...but still), I get the following error if I use the ${certdir} expansion - as used all throughout the rest of the config WARNING: No such configuration item certdir /etc/raddb/sites-enabled/tls[252]: Reference "/usr/bin/openssl verify -CAfile ${certdir}/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename}" not found Errors reading /etc/raddb/radiusd.conf there appears to be another issue too... if i say that the cert must be valid for a purpose and its not valid for the purpose then it passes the test anyway(!) thats not what I had in mind ;-) (0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename} (0) expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60 Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program: returned: 0 (0) Client certificate CN server.camford.ac.uk passed external validation run on the command line I get: server.lboro.ac.uk-PKI.pem: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.lboro.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK ...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt. alan