Hi all, I am trying to use freeradius with EAP-TLS but the client certificates are not trusted. We are using client certificates which are signed by our internal CA (signing chain is: client <- int-ca <- root-ca) Here is what I did: - Put the root CA and intermediate CA into "ca_path". - Set server.pem (issued by intermediate CA) - Set key.pem - Disable CRL/OCSP checks (for testing). The result when a client connects: /Certificate chain - 1 intermediate CA cert(s) untrusted To forbid these certificates see 'reject_unknown_intermediate_ca' (TLS) untrusted certificate with depth [2] subject name [ROOT CA CERTIFICATE] (TLS) untrusted certificate with depth [1] subject name [INT CA CERTIFICATE] (TLS) untrusted certificate with depth [0] subject name [CLIENT CERTIFICATE] tls: There are untrusted certificates in the certificate chain. Rejecting. (12) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:internal error (12) eap_tls: ERROR: (TLS) TLS - Server : Error in error (12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed (12) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (12) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (12) eap_tls: ERROR: [eaptls process] = fail/ I also tried to chain the CA files or put the whole chain into the client certificate. When I try to verify with openssl, it works fine: openssl verify -CApath certs/ca certs/client.pem Using FreeRADIUS Version 3.2.4 Am I missing something? Best regards, Etienne