Certificate and private key configuration for TLS/SSL connections
certificates
The certificates clause defines named X.509 certificate and private key
objects that other parts of the configuration reference (for example TLS
listeners, EAP‑TLS / PEAP / TTLS methods, management HTTPS, RADIUS/TLS, or
internal components requiring a certificate/key pair). Centralizing these
definitions avoids repeating file paths and eases rotation.
A definition is purely a reference wrapper around on‑disk PEM files; the server loads and holds them in memory after parsing.
Structure
certificates {
x509 "SERVER_CERT" {
filename "/etc/radiator/certs/server.pem";
}
x509-directory "CLIENT_CA_DIRECTORY" {
directory "/etc/radiator/certs/clients";
interval 30m;
}
key "SERVER_KEY" {
filename "/etc/radiator/private/server-key.pem";
# password "correcthorsebatterystaple";
}
}
You can define any number of certificate (x509), certificate directory (x509-directory), and private key (key) blocks.
Names are case sensitive. Reusing a name will cause a configuration error.
Blocks and Statements
| Element | Context | Required | Description |
|---|---|---|---|
x509 "NAME" { ... } | certificates | No (≥1 if you need TLS) | Declares a certificate by name |
filename "path"; | Inside x509 | Yes | Absolute or relative path to PEM certificate |
x509-directory "NAME" { ... } | certificates | No | Declares a named directory of PEM CA certificates |
directory "path"; | Inside x509-directory | Yes | Path to a directory containing PEM CA certificates |
interval DURATION; | Inside x509-directory | No | Refresh interval for rescanning the directory. Plain numbers mean milliseconds |
key "NAME" { ... } | certificates | No (required if private key needed) | Declares a private key by name |
filename "path"; | Inside key | Yes | Path to PEM encoded private key |
password "*****"; | Inside key | No | Passphrase for encrypted key (if the PEM is encrypted) |
Relative paths are resolved relative to the working directory of the running process (typically the directory where you start the server). Prefer absolute paths for production.
Certificate directories
Use x509-directory for CA bundles that are maintained as individual PEM files in a directory.
Radiator rescans the directory periodically and reloads the certificates without requiring a
configuration change. If interval is omitted, the directory is rescanned every 3s.
certificates {
x509-directory "CLIENT_CA_DIRECTORY" {
directory "/etc/radiator/certs/clients";
interval 30m;
}
}
The interval value supports the same duration syntax used elsewhere in configuration files,
such as 30s, 5m, and 1h30m. Plain numbers are interpreted as milliseconds. See
Duration Units for the full syntax.
Usage in Other Clauses
Example: EAP‑TLS inside an AAA handler:
authentication {
backend "USERS";
eap {
eap-tls {
tls {
certificate "SERVER_CERT";
certificate_key "SERVER_KEY";
# client_ca_certificate "CLIENTS_CA";
# require_client_certificate true;
}
}
}
}
Example: TLS listener (shape depends on the server protocol block):
servers {
radius "auth-tls" {
listen {
protocol tls;
port 2083;
ip 0.0.0.0;
}
# certificate/key reference occurs in the TLS sub-block for the listener
policy "DEFAULT";
}
}
(Refer to the server / EAP method documentation for the exact statement names
and where to reference certificate and certificate_key.)
Directory-backed CA bundles can be referenced anywhere a CA certificate object is accepted:
certificates {
x509-directory "CLIENT_CA_DIRECTORY" {
directory "/etc/radiator/certs/clients";
interval 30m;
}
}
authentication {
eap {
eap-tls {
tls {
client_ca_certificate "CLIENT_CA_DIRECTORY";
}
}
}
}
Debug Logging
When debug logging is enabled (RADIATOR_LOG_LEVEL=debug or --debug), the server logs
certificate details as each certificate is added to a TLS context. This helps
verify correct certificate loading and troubleshoot TLS configuration issues.
Example log entry in JSON format:
{
"level": "DEBUG",
"namespace": ["configuration", "certificates"],
"message": "Certificate added to TLS context",
"fields": {
"tls_context": "server_cert_chain",
"cert_config": "SERVER_CERT",
"chain_position": "0",
"subject": "c=AU,cn=test.server.example.com",
"issuer": "c=AU,cn=Example CA",
"san": "ip:10.20.30.101, dns:test.server.example.com",
"not_before": "2025-01-01T00:00:00Z",
"not_after": "2027-01-01T00:00:00Z",
"serial": "20:25:01:01:00:01"
...
}
}
The tls_context field indicates where the certificate is used:
server_cert_chain- Server certificate and chainserver_client_ca- CA certificates for client verificationclient_cert_chain- Client certificate and chain (for outbound TLS)client_server_ca- CA certificates for server verification (for outbound TLS)