Server certificate and clients (eap-tls) certificate

work vlpl thework.vlpl at
Sat Dec 9 18:36:00 CET 2017

Do I understand the following correctly?

I should get valid ssl certificate from (Verisign or other CA) and use
it in `certificate_file` and `private_key_file`. This is tells radius
server clients, what server is valid. Also this will be enough to
enable eap-ttls.

The `ca_file` options should point to my self-generated/self-signed CA
certificate. And eap-tls clients certificate should be signed by this

Also I have question not related to freeradius server, but maybe
someone have an answer.
I can generate client certificate for eap-tls auth method with very
long lifetime, like 10 years, and provision clients devices with it
only once. But if certificates have short lifetime, I will have to
update it periodically. How to do it with minimal user interaction?


More information about the Freeradius-Users mailing list