Hi, Several years ago when Windows XP clients were around in my organization I had successfully configured freeradius with EAP-TLS and host certificates. Now, most of my clients are Windows 10 and just a few Windows 7. They can access with PEAP mschap-v2 via WiFi. I am now trying to configure WiFi access with EAP-TLS and host certificates. Please bear with me as I haven't handled freeradius for years now, and I'm a bit rusty. I already have a custom Signing Authority (ca.pem). So, within /etc/raddb/certs I ran the following after adjusting the corresponding *.cnf files: # make server.pem # make server.csr # make inner-server.pem # make client.pem The Windows 10 client has imported both the CA in trusted roots and the client certificate in the "local computer" store. I chose the common name "PC2036" (see below). The wireless connection is set up with a "smart card or other certificate" (computer account). When I try to connect I see this in the radiusd log (please let me know if you need the full log): (132) Received Access-Request Id 67 from 192.168.216.36:58425 to 10.215.144.91:1812 length 209 (132) User-Name = "host/PC2036" (132) NAS-IP-Address = 192.168.216.36 (132) NAS-Identifier = "10:be:f5:c9:ce:90" (132) NAS-Port = 0 (132) Called-Station-Id = "10-BE-F5-C9-CE-98:HMprv" (132) Calling-Station-Id = "4C-1D-96-4E-48-0F" (132) Framed-MTU = 1400 (132) NAS-Port-Type = Wireless-802.11 (132) Connect-Info = "CONNECT 0Mbps 802.11b" (132) EAP-Message = 0x028a001201686f73742f484d414e32303336 (132) Message-Authenticator = 0xc6775ce6e83151b7ecde4018fb87f5d8 (132) # Executing section authorize from file /etc/raddb/sites-enabled/default (132) authorize { [...] (132) ntdomain: Checking for prefix before "\" (132) ntdomain: No '\' in User-Name = "host/PC2036", looking up realm NULL (132) ntdomain: No such realm "NULL" (132) [ntdomain] = noop (132) [expiration] = noop (132) [logintime] = noop (132) } # authorize = updated (132) Found Auth-Type = eap (132) # Executing group from file /etc/raddb/sites-enabled/default (132) authenticate { (132) eap: Peer sent packet with method EAP Identity (1) (132) eap: Calling submodule eap_tls to process data (132) eap_tls: Initiating new TLS session (132) eap_tls: Setting verify mode to require certificate from client (132) eap_tls: [eaptls start] = request (132) eap: Sending EAP Request (code 1) ID 139 length 6 (132) eap: EAP session adding &reply:State = 0x007a782400f175f1 (132) [eap] = handled (132) } # authenticate = handled (132) Using Post-Auth-Type Challenge (132) # Executing group from file /etc/raddb/sites-enabled/default (132) Challenge { ... } # empty sub-section is ignored (132) Sent Access-Challenge Id 67 from 10.215.144.91:1812 to 192.168.216.36:58425 length 0 (132) EAP-Message = 0x018b00060d20 (132) Message-Authenticator = 0x00000000000000000000000000000000 (132) State = 0x007a782400f175f114c01cbf42164dc9 (132) Finished request Waking up in 4.9 seconds. (132) Cleaning up request packet ID 67 with timestamp +2318 Ready to process requests I then read this: https://wiki.freeradius.org/guide/certificate-compatibility So I decided to replace the whole certificate directory just to make sure the test certs work. So I ran this: # ./bootstrap # make inner-server.pem However, when I run the server I get an error reading its certificate. # radiusd -X [...] tls: Failed reading private key file "/etc/raddb/certs/server.pem" tls: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt tls: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error tls: error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib rlm_eap_tls: Failed initializing SSL context rlm_eap (EAP): Failed to initialise rlm_eap_tls /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap" # ls -l /etc/raddb/certs/server.pem -rw-r----- 1 root radius 3588 Jun 12 2020 /etc/raddb/certs/server.pem freeradius v. 3.0.20 I'm sure this is a silly mistake on my behalf. Any suggestions? Vieri