Documentation

Certificate and private key configuration for TLS/SSL connections

certificates

The certificates clause defines named X.509 certificate and private key objects that other parts of the configuration reference (for example TLS listeners, EAP‑TLS / PEAP / TTLS methods, management HTTPS, RADIUS/TLS, or internal components requiring a certificate/key pair). Centralizing these definitions avoids repeating file paths and eases rotation.

A definition is purely a reference wrapper around on‑disk PEM files; the server loads and holds them in memory after parsing.

Structure

certificates {
    x509 "SERVER_CERT" {
        filename "/etc/radiator/certs/server.pem";
    }

    key "SERVER_KEY" {
        filename "/etc/radiator/private/server-key.pem";
        # password "correcthorsebatterystaple";
    }
}

You can define any number of certificate (x509) and private key (key) blocks. Names are case sensitive. Reusing a name will cause a configuration error.

Blocks and Statements

ElementContextRequiredDescription
x509 "NAME" { ... }certificatesNo (≥1 if you need TLS)Declares a certificate by name
filename "path";Inside x509YesAbsolute or relative path to PEM certificate
key "NAME" { ... }certificatesNo (required if private key needed)Declares a private key by name
filename "path";Inside keyYesPath to PEM encoded private key
password "*****";Inside keyNoPassphrase for encrypted key (if the PEM is encrypted)

Relative paths are resolved relative to the working directory of the running process (typically the directory where you start the server). Prefer absolute paths for production.

Usage in Other Clauses

Example: EAP‑TLS inside an AAA handler:

authentication {
    backend "USERS";
    eap {
        eap-tls {
            tls {
                certificate "SERVER_CERT";
                certificate_key "SERVER_KEY";
                # client_ca_certificate "CLIENTS_CA";
                # require_client_certificate true;
            }
        }
    }
}

Example: TLS listener (shape depends on the server protocol block):

servers {
    radius "auth-tls" {
        listen {
            protocol tls;
            port 2083;
            ip 0.0.0.0;
        }
        # certificate/key reference occurs in the TLS sub-block for the listener
        policy "DEFAULT";
    }
}

(Refer to the server / EAP method documentation for the exact directive names and where to reference certificate and certificate_key.)