Import certificate to RADIUS trust store

SecureAuth Identity Platform appliances are typically signed by a certificate authority (CA); SecureAuth RADIUS Server only trusts appliances that are signed by a valid CA. Because Identity Platform appliances are signed by a valid CA, you typically do not need to change anything on RADIUS; however, if your site has installed the SecureAuth RADIUS service on a separate server from the Identity Platform and the CA that you have to sign your certificate is not installed in the SecureAuth Radius trust store, you must import the certificate to the trust store.

Symptom

End users cannot authenticate.

Cause

Authenticating SecureAuth RADIUS end users to a SecureAuth Identity Platform endpoint configured without a trusted certificate will fail. The SecureAuth RADIUS log file will show an "SSL Handshake Exception" because the certificate is not trusted.

Resolution

Importing an SSL/TLS certificate to the RADIUS trust store adds an additional security layer between SecureAuth RADIUS and SecureAuth Identity Platform, especially for customers who install the SecureAuth RADIUS service on a separate server.

  1. Keep untrusted certificates from being used.

    1. Navigate to <RADIUS_installation_directory>\SecureAuth IdP RADIUS Agent\bin\logs

    2. Open the appliance.radius.properties file.

    3. Remove the idp.allowSelfSignedCerts property or set the property to false.

  2. Import the certificate inside the RADIUS trust store.

    1. Open a Windows command prompt and navigate to the SecureAuth RADIUS installation, located at

      <RADIUS_installation_directory>\SecureAuth IdP RADIUS Agent\bin\serverJre\jre

    2. Run the following import script:

      ./bin/keytool.exe -import -trustcacerts -alias <alias> -file <certificate.cer> -keystore .\lib\security\cacerts

    3. The keytool requests the trust store password. By default, the password is changeit.

    4. When asked if you trust the certificate, enter yes. The certificate is then imported.

The certificate is usually defined as the binding certificate on the Identity Platform servers. The certificate is trusted because it is in the SecureAuth RADIUS trust store, so SecureAuth RADIUS can connect securely to the SecureAuth Identity Platform.