ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print user@example.com.pem in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention.
I get the exact same error at the CLI: [pjm3@localhost tmp]$ openssl verify -CAfile ca.pem < server.pem stdin: OK [pjm3@localhost tmp]$ openssl verify -CAfile ca.pem < user\@example.com.pem stdin: /C=FR/ST=Radius/O=Example Inc./CN=user@example.com/emailAddress=user@example.com error 20 at 0 depth lookup:unable to get local issuer certificate Your certificates are invalid: * server.pem is signed by ca.pem, which is correct: Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.com, CN=Example Certificate Authority Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/emailAddress=admin@example.com * user.pem is signed by *server.pem* which is WRONG Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/emailAddress=admin@example.com Subject: C=FR, ST=Radius, O=Example Inc., CN=user@example.com/emailAddress=user@example.com You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert.