TLS Certificate error?

Ben Humpert ben at
Tue May 26 16:21:40 CEST 2015

What kind of certificates do you use? RSA or ECDSA? If these are
simple RSA certificates try using a simple tls config.

private_key_password = “REDACTED”
private_key_file = "server.key"
certificate_file = "server.crt"
ca_file = "server.crt"
dh_file = "/Library/Server/radius/raddb/certs/dh"
ca_path = "/Library/Server/radius/raddb/certs"
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"

these are the only configuration options in the default FR 3.0.7 eap
tls config and it works well for me (RSA with sha256). Also make you
you have the correct "Extended Key Usage" OIDs set for each the server
as well as the client cert.

If this doesn't help reupload / install the correct certificates on
your client and as well as your radius server. Don't think "this is
the correct cert", just replace it with the definitely correct one
from your CA. SSL can't decrypt thus the private key doesn't match the
public key so either the config is broken or you haven't updated the
key but the cert (or vice-versa).

2015-05-26 14:19 GMT+02:00 Alan DeKok <aland at>:
> On May 25, 2015, at 10:46 PM, Scott A. Johnson <scott.a.johnson at> wrote:
>> I’m using version 2.2.0 which is installed with Mac OS X 10.10.3.  Trying to get EAP-TLS working.  I *think* I have my certificates installed, and permissions set correctly, however my clients can’t connect and the error, best I can tell, is certificate based as I receive the error “certificate signature failure”.  Where I’m not sure is if this means I have something wrong with my public/private key, an error in my config files with FreeRadius, or something else entirely.
>   Magic... deep magic.
>   Not really, but sometimes SSL feels like that.
>> --> verify error:num=7:certificate signature failure
>> [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
>> TLS Alert write:fatal:decrypt error
>   That's not good.  I've seen it from time to time, and honestly... it's not clear what's going on.  I'm not familiar enough with the SSL internals to say.
>   Try using the fake certificates in raddb/certs/.  If those don't work, then the system is broken.  Something in the client, or OpenSSL, or 2.2.0.  If those certificates do work, then the certificates you're using are broken somehow.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list