Hi, I try to configure a private network with a WiFi Access Point using WPA3-Enterprise with a RADIUS server on a Raspberry Pi 3 Model B with FreeRADIUS (v3.2.7) and EAP-TLS 1.3 as authentication protocol. I ran the bootstrap script file to generate the example PKI, I installed client key/certificate and CA certificate on my Windows 11 PC. It works well. However, after generating my own PKI with the same pattern (One CA generating a server certificate and a client certificate), and installing client key/certificate and CA certificate in my certificate store the same way I did for example ones, it doesn't work.
From the debug output it seems that client PC says that the server certificate is issued by an unknown CA but it is installed the same way that the example one. Also, I verified that the server certificate from my custom PKI is correct and has been issued by the custom CA whose certificate is installed in my PC's certificate store. I made sure also I added the correct usage extension for WiFi. I can't find solution on the web or similar problem, neither from Chat-GPT.
Attached to this email, you will find both freeradius -X outputs from the example CA and the custom one. Also, you will find the certificates from both PKI. Have a good day, D. AUBIN
On Dec 16, 2025, at 10:17 AM, Aubin, Dylan via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I try to configure a private network with a WiFi Access Point using WPA3-Enterprise with a RADIUS server on a Raspberry Pi 3 Model B with FreeRADIUS (v3.2.7) and EAP-TLS 1.3 as authentication protocol. I ran the bootstrap script file to generate the example PKI, I installed client key/certificate and CA certificate on my Windows 11 PC. It works well. However, after generating my own PKI with the same pattern (One CA generating a server certificate and a client certificate), and installing client key/certificate and CA certificate in my certificate store the same way I did for example ones, it doesn't work. From the debug output it seems that client PC says that the server certificate is issued by an unknown CA but it is installed the same way that the example one.
This is really an issue for the client side. There isn't much you can to do FreeRADIUS to make the client recognize the CA.
Also, I verified that the server certificate from my custom PKI is correct and has been issued by the custom CA whose certificate is installed in my PC's certificate store. I made sure also I added the correct usage extension for WiFi. I can't find solution on the web or similar problem, neither from Chat-GPT.
Chat-GPT is useless. You'll have to figure out why the client hasn't installed the CA properly. Once the CA is installed, EAP-TLS should work. Alan DeKok.
From the debug output it seems that client PC says that the server certificate is issued by an unknown CA but it is installed the same way that the example one. Also, I verified that the server certificate from my custom PKI is correct and has been issued by the custom CA whose certificate is installed in my PC's certificate store. I made sure also I added the correct usage extension for WiFi.
Did you add your ca.pem file from our own PKI to FreeRADIUS and reference this within mods-available\eap? If the server key and certificate are in the same file, you would have set this as follows: private_key_password = something private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem Then you would set your reference to your ca.pem file: ca_file = ${cadir}/ca.pem The directories referenced above are defined in radiusd.conf: certdir = ${confdir}/certs cadir = ${confdir}/certs Sam
participants (3)
-
Alan DeKok -
Aubin, Dylan -
Sam Hutchings