Hello, We're running into an issue where EAP-TLS authentication is failing due to the 'unable to get issuer certificate' error. This is only the case when freeRADIUS certificate was issued by the intermediate CA server (signed by the Root CA) and the client certificate was also issued by the intermediate CA server but Root CA installed on it. Note that Trusted CA (ca_file ==> external_ca.pem) in freeradius does NOT include the the Root CA and it only has the CA cert that's issuing the certificate (intermediate certificate). Snippet of eap configuration is as below (no CRL involved). tls-config tls-common { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = password private_key_file = ${certdir}/external_server.pem certificate_file = ${certdir}/external_server.pem ca_file = ${cadir}/external_ca.pem dh_file = ${certdir}/dh 2022-07-25 09:02:25,557: Debug: (259) eap_tls: (TLS) EAP Continuing ... 2022-07-25 09:02:25,557: Debug: (259) eap_tls: (TLS) EAP Peer sent flags --- 2022-07-25 09:02:25,557: Debug: (259) eap_tls: (TLS) EAP Got final fragment (313 bytes) 2022-07-25 09:02:25,557: Debug: (259) eap_tls: (TLS) EAP Verification says ok 2022-07-25 09:02:25,557: Debug: (259) eap_tls: (TLS) EAP Done initial handshake 2022-07-25 09:02:25,557: Debug: (259) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate 2022-07-25 09:02:25,557: Debug: (259) eap_tls: Generating SHA-1 Fingerprint for certificate 2022-07-25 09:02:25,557: Debug: (259) eap_tls: ETS-TLS-Cert-Fingerprint := "1C0D90361737BB7B7B8EAE62FDF7E6A680042DF9" 2022-07-25 09:02:25,557: Debug: (259) eap_tls: (TLS) Creating attributes from server certificate 2022-07-25 09:02:25,557: Debug: (259) eap_tls: TLS-Cert-Serial := "3b0000000a0d548d27e286f0ca00000000000a" 2022-07-25 09:02:25,557: Debug: (259) eap_tls: TLS-Cert-Expiration := "240722144713Z" 2022-07-25 09:02:25,557: Debug: (259) eap_tls: TLS-Cert-Valid-Since := "220722143713Z" 2022-07-25 09:02:25,557: Debug: (259) eap_tls: TLS-Cert-Subject := "/DC=com/DC=extrxiq-salem/DC=extrxiq-salemC/CN=extrxiq-salemC-WIN2012-752-CA" 2022-07-25 09:02:25,557: Debug: (259) eap_tls: TLS-Cert-Issuer := "/DC=com/DC=extrxiq-salem/CN=extrxiq-salem-XIQ-SALEM-WIN12-CA" 2022-07-25 09:02:25,558: Debug: (259) eap_tls: TLS-Cert-Common-Name := "extrxiq-salemC-WIN2012-752-CA" 2022-07-25 09:02:25,558: Debug: (259) eap_tls: ETS-TLS-Verify-Error-Code := 2 2022-07-25 09:02:25,558: ERROR: (259) eap_tls: (TLS) OpenSSL says error 2 : unable to get issuer certificate 2022-07-25 09:02:25,558: Debug: (259) eap_tls: (TLS) send TLS 1.2 Alert, fatal unknown_ca 2022-07-25 09:02:25,558: ERROR: (259) eap_tls: (TLS) Alert write:fatal:unknown CA 2022-07-25 09:02:25,558: ERROR: (259) eap_tls: (TLS) Server : Error in error 2022-07-25 09:02:25,558: ERROR: (259) eap_tls: (TLS) Failed reading from OpenSSL: s3_srvr.c[3344]:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed 2022-07-25 09:02:25,558: ERROR: (259) eap_tls: (TLS) System call (I/O) error (-1) 2022-07-25 09:02:25,558: ERROR: (259) eap_tls: (TLS) EAP Receive handshake failed during operation 2022-07-25 09:02:25,558: ERROR: (259) eap_tls: [eaptls process] = fail 2022-07-25 09:02:25,558: ERROR: (259) eap: Failed continuing EAP TLS (13) session. EAP sub-module failed The above example shows 'TLS-Cert-Issuer' is the root CA server which signed the intermediate certificate. A client was authenticating fine on freeRADIUS server running 3.0.21 but after we upgraded the freeRADIUS to 3.0.25, we're starting to see this issue (see above the debug). No configuration change in eap file between versions. If we install the 'root' certificate to 'ca_file' in 3.0.25 (no needed in 3.0.21 as it only required intermediate cert), then the client authentication started working. Is this known issue OR expected new behavior? If so, what would be the reason why it worked in 3.0.21 not in 3.0.25? Thanks for the help.