Hi, I'm trying to setup Freeradius 3.0.4 under CentOS 7 with TTLS-EAP and MSCHAPv2. My first tests with using LDAP in the back and the defaultly installed server certificate were successful. There won't be any authentication via client certificate. It's all about the server certificate for the TLS encryption. There is a self signed certificate which I would like install in the server. Now I'm somewhat struggling with the server side configuration. Why do I want these cnf files in the certs directory? Honestly I expected to just place the certificate/key files there, link them in the config and be done. I found some documents in the internet saying that this server certificate need extended key usage attributes (1.3.6.1.5.5.7.3.1). Is that right? The certificate is actually issued from a subCA. What do I have to consider when installing the cert, key and cacert in the FreeRadius server? Does the ca certificate need to be concatenated from the rootCA and also the subCA? What do I need to consider when it comes to installing the cacert to the clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be a catted cert from the rootca cert and the subca cert? I there anything else I need to consider? We're using TinyCA 0.7.5. Thank you list -- Peakwork Signature *Jochen Demmer* Network Administrator T: +49-(0)241-4131146-29 jochen.demmer@peakwork.com peakwork AG | Sonnenweg 15 a | D-52070 Aachen | T: +49-(0)241-4131146-29 | F: +49-(0)241-4131146-17 peakwork AG (Headquarter) | Flinger Str. 36 | D-40213 Düsseldorf | T: +49-(0)211-91368-500 | F: +49-(0)211-91368-509 Executive board: Ralf Usbeck (chairman) | Markus Pfau | Michael Schmidt | Dr. Thomas van Kaldenkerken Chairman of the supervisory board: Markus Voelkel Company register: Amtsgericht Düsseldorf HRB 71223 | VAT ID.: DE264960677 Peakwork Logo www.peakwork.com | www.peakwork.de