On your Server Settings page there are two tables with certificate information. Both tables will contain at least one certificate to ensure a normal operation of your systems.
By default, RADIUSaaS generates a RADIUS server certificate signed by a Certificate Authority (CA) that is available on our service solely for this very purpose. We refer to it as the Custom CA. The Custom CA is unique for every customer.
To create your Custom CA, follow these simple steps:
- 1.Click Add
- 2.Choose Create your own CA
- 3.Click on Create
After the creation, you will see a new certificate available in your table:
In case you do not want to use any of the standard certificates which we are providing, you can upload up to two of your own certificates
You may leverage SCEPman Certificate Master to generate a server certificate for you. Please follow those steps:
- 1.Navigate to your SCEPman Certificate Master web portal.
- 2.Generate a server certificate as described here and provide any FQDN you want. We recommend to adapt the SAN of the default server certificate, i.g.
radius.<your RADIUSaaS instance name>.net.
- 3.Since RADIUSaaS requires the complete certificate chain in the PEM format, please run the following OpenSSL command to add SCEPman's root CA to the chain and to perform the format conversion (
certificate-test.pfxis the name of the downloaded server certificate generated via SCEPman Certificate Master).
openssl pkcs12 -in certificate-test.pfx -out servercert.cert -nodes
curl https://YOURSCEPMANINSTANCE.COM/certsrv/mscep/mscep.dll/pkiclient.exe\?operation\=GetCACert | openssl x509 -inform der >> servercert.cert
Please note: By default, SCEPman Certificate Master issues certificates that are valid for 730 days. If you'd like to change this, please refer to SCEPman's documentation.
To add your own server certificate, e.g. one issued by SCEPman, please follow those steps.
- 1.Click Add
- 2.Choose PEM encoded Certificate
- 3.Copy & Paste your certificate or use the Browse File option
- 4.Enter the password of your Private Key
- 5.Click Save
As certificates expire from time to time or your preference on which certificates you would like to use change, it is important that you can control the certificate that your server is using. The Active column shows you the certificate your server is currently using. To change the certificate your server is using, expand the row of the certificate you would like to choose and click Activate.
To download your Server Certificate click Download in the corresponding row.
It will open a dialog, and show the complete certificate path. The root certificate will always be marked in green.
RadSec itself works with certificate authentication as well. Hence, your RADIUS server has to know who is allowed to establish a valid RadSec connection. Due to this requirement, you will always see at least one certificate in this table, which is the one related to your RadSec proxy. To ensure that your proxies are able to start up properly and are able to establish a connection to your instance, you cannot delete it.
To allow new clients to establish a RadSec connection to your instance, follow these steps:
- 1.Click Add
- 2.Copy & Paste your certificate or use the Browse File option
- 3.Click Save
After this you should see your imported certificate in your table.
To delete a certificate, expand the corresponding row, click Delete and confirm your choice.
Certificates will expire from time to time. Five months before your certificate is going to be expired, you dashboard will give you a hint that your certificate is about to expire.
If you're seeing this triangle, follow this guide how you can change your certificate: