Hi everyone, I have a working EAP-TLS setup using FreeRadius version 3.2.7. I'm trying to extend this setup to use OCSP but have not been successful. My configuration is as follows: ocsp { enable = yes override_cert_url = yes url = "http://ocsp:8080/" use_nonce = no timeout = 1 softfail = no } I'm encountering the following error message: (4) eap_tls: ocsp: Using responder URL "http://ocsp:8080/" (4) eap_tls: ERROR: (TLS) ocsp: Couldn't verify OCSP basic response: error:13800076:OCSP routines::signer certificate not found (4) eap_tls: ERROR: (TLS) ocsp: Certificate has expired or been revoked For debugging purposes, when I disable OCSP and instead use the following configuration: verify { tmpdir = /tmp/radiusd client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/" } OpenSSL can communicate with the OCSP responder without issues (I adjusted the log formatting for better readability.): (9) eap_tls: Verifying client certificate: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/ (9) eap_tls: Executing: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/ (9) eap_tls: EXPAND %{TLS-Client-Cert-Filename} (9) eap_tls: --> /tmp/radiusd/radiusd.client.XXefFihM Response verify OK (9) eap_tls: Program returned code (0) and output 'OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F15315BA08FFF6A2400A75BEB618F1E27B9A2869 Issuer Key Hash: 8CB54C92E9319D17C39400BBC7615AF888B15BB1 Serial Number: 6280251183391E42D0FC4BE701F4BA61B204EE9D OCSP Response Data: OCSP Response Status: successful (0x0) This is a simple setup where the same ca.pem is used to sign both client certificates and OCSP responses. I have tried different configurations, including enabling/disabling auto_chain, using both ca_file and ca_path, using only ca_file or only ca_path, and switching cipher_server_preference. However, I have not found a configuration that resolves the "signer certificate not found" error. I'm out of ideas. My full TLS configuration is as follows: tls-config tls-common { private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem ca_path = ${cadir} auto_chain = yes cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.2" ecdh_curve = "" cache { enable = no lifetime = 24 # hours store { Tunnel-Private-Group-Id } } verify { tmpdir = /tmp/radiusd client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/" } ocsp { enable = no override_cert_url = yes url = "http://ocsp:8080/" use_nonce = no timeout = 1 softfail = yes } } I'd be grateful for any suggestions. Best regards, Przemyslaw Basa