Do I understand the following correctly? I should get valid ssl certificate from (Verisign or other CA) and use it in `certificate_file` and `private_key_file`. This is tells radius server clients, what server is valid. Also this will be enough to enable eap-ttls. The `ca_file` options should point to my self-generated/self-signed CA certificate. And eap-tls clients certificate should be signed by this CA. --- Also I have question not related to freeradius server, but maybe someone have an answer. I can generate client certificate for eap-tls auth method with very long lifetime, like 10 years, and provision clients devices with it only once. But if certificates have short lifetime, I will have to update it periodically. How to do it with minimal user interaction? -- Vladimir