Import certificate in RADIUS trust store, v20.06
SecureAuth Identity Platform appliances are typically signed by a certificate authority (CA); SecureAuth RADIUS Server v20.06 only trusts appliances that are signed by a valid CA. Because Identity Platform appliances are signed by a valid CA, you typically do not need to change anything on RADIUS; however, if your site has installed the SecureAuth RADIUS service on a separate server from the Identity Platform and the CA that you have to sign your certificate is not installed in the SecureAuth Radius trust store, you must import the certificate to the trust store.
Symptom
End users cannot authenticate.
Cause
Authenticating SecureAuth RADIUS end users to a SecureAuth Identity Platform endpoint configured without a trusted certificate will fail. The SecureAuth RADIUS log file will show an "SSL Handshake Exception" because the certificate is not trusted.
Resolution
Importing an SSL/TLS certificate to the RADIUS trust store adds an additional security layer between SecureAuth RADIUS and SecureAuth Identity Platform, especially for customers who install the SecureAuth RADIUS service on a separate server.
Keep untrusted certificates from being used.
Navigate to
<RADIUS_installation_directory>
\SecureAuth IdP RADIUS Agent\bin\logs
Open the
appliance.radius.properties
file.Remove the
idp.allowSelfSignedCerts
property or set the property tofalse
.
Import the certificate inside the RADIUS trust store.
Open a Windows command prompt and navigate to the SecureAuth RADIUS installation, located at
<RADIUS_installation_directory>\
SecureAuth IdP RADIUS Agent\bin\serverJre\jre
Run the following import script:
./bin/keytool.exe -import -trustcacerts -alias <alias> -file <certificate.cer> -keystore .\lib\security\cacerts
The keytool requests the trust store password. By default, the password is
changeit
.When asked if you trust the certificate, enter
yes
. The certificate is then imported.
The certificate is usually defined as the binding certificate on the Identity Platform servers. The certificate is trusted because it is in the SecureAuth RADIUS trust store, so SecureAuth RADIUS can connect securely to the SecureAuth Identity Platform.