Hello, Currently, I have in raddb/mods-available/eap the equivalent of: tls-config tls-common { private_key_password = whatever private_key_file = /path/to/my_server_key.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = /path/to/my_server_cert.pem # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. ca_file = /path/to/my_root_ca_cert.pem where the server's certificate (my_server_cert.pem) has been signed with the help of an ad hoc root CA (whose certificate is my_root_ca_cert.pem). It "works", in the sense that a client connecting thru TTLS receives both certificates, which is exactly what I want. :-) Now, it is true that I currently don't implement TLS. Putting above comments together, it seems that I could thus comment out the "ca_file = ..." line, and merge both certificates, my_server_cert.pem and my_root_ca_cert.pem, into a single file, say "my_combined_certs". And then define: certificate_file = /path/to/my_combined_certs What format(s) is (are) allowed by FR for that file "my_combined_certs"? Would a simple cat of the two certificates (currently in PEM format) be sufficient? TIA, Axel