# Import certificate to SecureAuth RADIUS trust store

The SecureAuth RADIUS Server only trusts appliances that are signed by a valid certificate authority (CA). Because SecureAuth® Identity Platform appliances are signed by a valid CA, you typically do not need to change anything on SecureAuth RADIUS. However, if your site has installed the SecureAuth RADIUS service on a separate server from the Identity Platform and the CA that you have to sign your certificate is not installed in the SecureAuth Radius trust store, you must import the certificate to the trust store. Otherwise, end users cannot authenticate and the SecureAuth RADIUS log file will show an "SSL Handshake Exception" because the certificate is not trusted.

Importing an SSL/TLS certificate to the SecureAuth RADIUS trust store adds an additional security layer between SecureAuth RADIUS and the Identity Platform, especially for customers who install the SecureAuth RADIUS service on a separate server. The certificate is usually defined as the binding certificate on the Identity Platform servers. The certificate is trusted because it is in the SecureAuth RADIUS trust store, so SecureAuth RADIUS can connect securely to the Identity Platform.

Follow these steps to prevent untrusted certificates from being used and to import a certificate to the SecureAuth RADIUS trust store.

### Note

The directory paths you use depends on your SecureAuth RADIUS server version or the destination folder selected when you installed the SecureAuth RADIUS Server. The following are examples of default paths:

• C:\idpRADIUS\bin\

• C:\Program Files (x86)\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\

• C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\

## Prevent use of untrusted certificates

1. Go to the directory where you installed SecureAuth RADIUS.

2. Go to the \bin\logs folder

3. Open the appliance.radius.properties file.

4. Remove the idp.allowSelfSignedCerts property or set the property to false.

## Import certificates

1. Open a Windows command prompt and run a command to change the directory to SecureAuth-RADIUS_directory\bin\serverJre\jre.

For example,

cd C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\serverJre\jre

2. Run the following import script:

./bin/keytool.exe -import -trustcacerts -alias &lt;alias&gt; -file &lt;certificate.cer&gt; -keystore .\lib\security\cacerts
3. The keytool requests you enter the trust store password. By default, the password is changeit.

4. When asked if you trust the certificate, enter yes. The certificate is then imported.