Server certificate and clients (eap-tls) certificate

Alan DeKok aland at
Mon Dec 11 22:12:42 CET 2017

On Dec 9, 2017, at 12:36 PM, work vlpl <thework.vlpl at> wrote:
> I should get valid ssl certificate from (Verisign or other CA)

  Please don't.  It's generally a bad idea.  Use a self-signed CA.  That way you can control it much better.

> and use
> it in `certificate_file` and `private_key_file`. This is tells radius
> server clients, what server is valid. Also this will be enough to
> enable eap-ttls.

  That's what the documentation says to do...

> The `ca_file` options should point to my self-generated/self-signed CA
> certificate. And eap-tls clients certificate should be signed by this
> CA.


> ---
> Also I have question not related to freeradius server, but maybe
> someone have an answer.
> I can generate client certificate for eap-tls auth method with very
> long lifetime, like 10 years, and provision clients devices with it
> only once. But if certificates have short lifetime, I will have to
> update it periodically. How to do it with minimal user interaction?

  Magic. :(

  Most OS vendors make it hard to push EAP configs to end-user machines.

  This may help:

  Or, there are commercial providers who charge for the same services.

  Alan DeKok.

More information about the Freeradius-Users mailing list