I had an idea on the way home last night. It's now implemented, and it's pretty cool. In eap.conf, the tls, ttls, and peap sections are now enabled in the default install. The EAP module ignores them if OpenSSL wasn't found during the build. The tls module now has a configuration entry "make_cert_command". raddb/certs/bootstrap is a shell script that runs "make". On initial boot in debugging mode after "make install", the server loads the tls module (if OpenSSL was found). The TLS module sees that there's a "make_cert_command", and it's in debugging mode, and no server certificate exists. It then runs the "make_cert_command" to create the certificates, and continues with its normal startup. This means that all of the annoying fighting with stupid certificates to get EAP-TLS to work is *gone*. Just install OpenSSL, install the server, and start the server. EAP-TLS, TTLS, and PEAP will Just Work. This makes me happy. It should make the server MUCH easier to deploy. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog