Hi, now this is strange. I'm in the middle of a certificate rollover. I have protected the old (1024 bit RSA) and new (4096 bit RSA) key with the same passphrase. Using "openssl rsa" on the FreeRADIUS box, I can decrypt both keys. When starting FreeRADIUS with the old cert+key, it starts up. When trying with the new cert+key: # Instantiating module "eap-staff" from file /usr/local/freeradius/config/raddb/mods-enabled/eap-staff # Linked to sub-module rlm_eap_tls tls { tls = "tls-staff" } tls-config tls-staff { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/usr/local/freeradius/config/raddb/certs/STAFF-CA/" pem_file_type = yes private_key_file = "/usr/local/freeradius/config/raddb/staff/cert-srv.key" certificate_file = "/usr/local/freeradius/config/raddb/staff/cert-srv.pem" private_key_password = <<< secret >>> dh_file = "/usr/local/freeradius/config/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1300 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 name = "eduroam-staff" max_entries = 128 persist_dir = "/var/log/radius/tlscache-eduroam-staff" } verify { } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } tls: Failed reading private key file /usr/local/freeradius/config/raddb/staff/cert-srv.key:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch rlm_eap_tls: Failed initializing SSL context rlm_eap (eap-staff): Failed to initialise rlm_eap_tls /usr/local/freeradius/config/raddb/mods-enabled/eap-staff[1]: Instantiation failed for module "eap-staff" Huh? The passphrase is identical, I'm pointing it to the correct filename, openssl can decode it - but FreeRADIUS can't? Looking at the encrypted private keys, I do see a small difference: OLD: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,EC24580B720DE947 [...] -----END RSA PRIVATE KEY----- NEW: -----BEGIN ENCRYPTED PRIVATE KEY----- [...] -----END ENCRYPTED PRIVATE KEY----- Both decode into: -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY----- openssl can handle both. Any clue why FreeRADIUS doesn't? This is a 3.0.10 installation. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66