diff -Nrup a/raddb/mods-available/eap b/raddb/mods-available/eap
--- a/raddb/mods-available/eap 2021-05-17 15:01:45.000000000 +0200
+++ b/raddb/mods-available/eap 2021-06-07 16:31:30.703235343 +0200
@@ -175,8 +175,8 @@ eap {
# authenticate via EAP-TLS! This is likely not what you want.
#
tls-config tls-common {
- private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ private_key_password =
+ private_key_file = ${system_ssldir}/private/radiusd.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -212,7 +212,7 @@ eap {
# give advice which will work everywhere. Instead,
# we give general guidelines.
#
- certificate_file = ${certdir}/server.pem
+ certificate_file = ${system_ssldir}/certs/radiusd.pem
# Trusted Root CA list
#
@@ -225,7 +225,7 @@ eap {
# In that case, this CA file should contain
# *one* CA certificate.
#
- ca_file = ${cadir}/ca.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
# OpenSSL will automatically create certificate chains,
# unless we tell it to not do that. The problem is that
@@ -275,7 +275,7 @@ eap {
# For OpenSSL >= 1.1.0, just leave this commented
# out, and OpenSSL will do the right thing.
#
- # dh_file = ${certdir}/dh
+ dh_file = ${local_ssldir}/dh
# If your system doesn't have /dev/urandom,
# you will need to create this file, and
@@ -320,7 +320,7 @@ eap {
# Check if intermediate CAs have been revoked.
# check_all_crl = yes
- ca_path = ${cadir}
+ ca_path = ${local_ssldir}
# OpenSSL does not reload contents of ca_path dir over time.
# That means that if check_crl is enabled and CRLs are loaded
diff -Nrup a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
--- a/raddb/mods-available/inner-eap 2021-05-17 15:01:45.000000000 +0200
+++ b/raddb/mods-available/inner-eap 2021-06-07 16:32:54.449951369 +0200
@@ -58,8 +58,8 @@ eap inner-eap {
# It might work, or it might not.
#
tls {
- private_key_password = whatever
- private_key_file = ${certdir}/inner-server.pem
+ private_key_password =
+ private_key_file = ${system_ssldir}/private/inner-radiusd.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -71,11 +71,11 @@ eap inner-eap {
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/inner-server.pem
+ certificate_file = ${system_ssldir}/private/inner-radiusd.pem
# You may want different CAs for inner and outer
# certificates. If so, edit this file.
- ca_file = ${cadir}/ca.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
cipher_list = "DEFAULT"
@@ -87,7 +87,7 @@ eap inner-eap {
# fragment_size = 1024
# Other needful things
- dh_file = ${certdir}/dh
+ dh_file = ${local_ssldir}/dh
random_file = /dev/urandom
# CRL and OCSP things go here. See the main "eap"
diff -Nrup a/raddb/mods-available/ldap b/raddb/mods-available/ldap
--- a/raddb/mods-available/ldap 2021-05-17 15:01:45.000000000 +0200
+++ b/raddb/mods-available/ldap 2021-06-07 16:33:58.483497650 +0200
@@ -569,11 +569,11 @@ ldap {
# using ldaps (port 636) connections
# start_tls = yes
-# ca_file = ${certdir}/cacert.pem
+# ca_file = ${system_ssldir}/certs/ca-bundle.crt
-# ca_path = ${certdir}
-# certificate_file = /path/to/radius.crt
-# private_key_file = /path/to/radius.key
+# ca_path = ${local_ssldir}
+# certificate_file = ${system_ssldir}/certs/radiusd.pem
+# private_key_file = ${system_ssldir}/private/radiusd.key
# random_file = /dev/urandom
# Certificate Verification requirements. Can be:
diff -Nrup a/raddb/mods-available/rest b/raddb/mods-available/rest
--- a/raddb/mods-available/rest 2021-05-17 15:01:45.000000000 +0200
+++ b/raddb/mods-available/rest 2021-06-07 16:35:17.600171375 +0200
@@ -14,13 +14,13 @@ rest {
# certificate chain validation.
# "ca_path" (libcurl option CURLOPT_CAPATH).
# Directory holding CA certificates to verify the peer with.
-# ca_file = ${certdir}/cacert.pem
-# ca_info_file = ${certdir}/cacert_bundle.pem
-# ca_path = ${certdir}
+# ca_file = ${system_ssldir}/certs/ca-bundle.crt
+# ca_info_file = ${system_ssldir}/certs/ca-bundle.crt
+# ca_path = ${local_ssldir}
-# certificate_file = /path/to/radius.crt
-# private_key_file = /path/to/radius.key
-# private_key_password = "supersecret"
+# certificate_file = ${system_ssldir}/certs/radiusd.pem
+# private_key_file = ${system_ssldir}/private/radiusd.pem
+# private_key_password =
# random_file = /dev/urandom
# Server certificate verification requirements. Can be:
diff -Nrup a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
--- a/raddb/radiusd.conf.in 2021-05-17 15:01:45.000000000 +0200
+++ b/raddb/radiusd.conf.in 2021-06-07 16:36:46.788929456 +0200
@@ -96,9 +96,9 @@ name = radiusd
# Location of config and logfiles.
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
-certdir = ${confdir}/certs
-cadir = ${confdir}/certs
-run_dir = ${localstatedir}/run/${name}
+system_ssldir = /etc/pki/tls
+local_ssldir = ${confdir}/certs
+run_dir = /run/${name}
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
diff -Nrup a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
--- a/raddb/sites-available/abfab-tls 2021-05-17 15:01:45.000000000 +0200
+++ b/raddb/sites-available/abfab-tls 2021-06-07 16:39:56.488537899 +0200
@@ -11,15 +11,15 @@ listen {
tls {
tls_min_version = "1.2"
- private_key_password = whatever
+ private_key_password =
# Moonshot tends to distribute certs separate from keys
- private_key_file = ${certdir}/server.key
- certificate_file = ${certdir}/server.pem
- ca_file = ${cadir}/ca.pem
- dh_file = ${certdir}/dh
+ private_key_file = ${system_ssldir}/private/radiusd.key
+ certificate_file = ${system_ssldir}/certs/radiusd.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
+ dh_file = ${local_ssldir}/dh
fragment_size = 8192
- ca_path = ${cadir}
+ ca_path = ${local_ssldir}
cipher_list = "DEFAULT"
cache {
enable = no
@@ -49,15 +49,15 @@ listen {
tls {
tls_min_version = "1.2"
- private_key_password = whatever
+ private_key_password =
# Moonshot tends to distribute certs separate from keys
- private_key_file = ${certdir}/server.key
- certificate_file = ${certdir}/server.pem
- ca_file = ${cadir}/ca.pem
- dh_file = ${certdir}/dh
+ private_key_file = ${system_ssldir}/private/radiusd.key
+ certificate_file = ${system_ssldir}/certs/radiusd.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
+ dh_file = ${local_ssldir}/dh
fragment_size = 8192
- ca_path = ${cadir}
+ ca_path = ${local_ssldir}
cipher_list = "DEFAULT"
cache {
enable = no
diff -Nrup a/raddb/sites-available/tls b/raddb/sites-available/tls
--- a/raddb/sites-available/tls 2021-05-17 15:01:45.000000000 +0200
+++ b/raddb/sites-available/tls 2021-06-07 16:43:59.728594665 +0200
@@ -137,8 +137,8 @@ listen {
# to refer to the "site1" sub-section of the "tls" section.
#
tls {
- private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ private_key_password =
+ certificate_file = ${system_ssldir}/certs/radiusd.pem
# Accept an expired Certificate Revocation List
#
@@ -171,7 +171,7 @@ listen {
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- ca_file = ${cadir}/ca.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
# For DH cipher suites to work in OpenSSL < 1.1.0,
# you have to run OpenSSL to create the DH file
@@ -179,7 +179,7 @@ listen {
# For OpenSSL >= 1.1.0, just leave this commented
# out, and OpenSSL will do the right thing.
#
- # dh_file = ${certdir}/dh
+ dh_file = ${local_ssldir}/dh
#
# If your system doesn't have /dev/urandom,
@@ -220,7 +220,7 @@ listen {
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
- ca_path = ${cadir}
+ ca_path = ${local_ssldir}
# OpenSSL does not reload contents of ca_path dir over time.
# That means that if check_crl is enabled and CRLs are loaded
@@ -475,8 +475,8 @@ home_server tls {
#
# hostname = "example.com"
- private_key_password = whatever
- private_key_file = ${certdir}/client.pem
+ private_key_password =
+ private_key_file = ${system_ssldir}/private/client.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -488,7 +488,7 @@ home_server tls {
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/client.pem
+ certificate_file = ${system_ssldir}/certs/client.pem
# Trusted Root CA list
#
@@ -505,7 +505,7 @@ home_server tls {
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- ca_file = ${cadir}/ca.pem
+ ca_file = ${system_ssldir}/certs/ca-bundle.crt
#
# For TLS-PSK, the key should be specified
@@ -527,7 +527,7 @@ home_server tls {
#
# openssl dhparam -out certs/dh 1024
#
- dh_file = ${certdir}/dh
+ dh_file = ${local_ssldir}/dh
random_file = /dev/urandom
#
@@ -555,7 +555,7 @@ home_server tls {
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
- ca_path = ${cadir}
+ ca_path = ${local_ssldir}
#
# If check_cert_issuer is set, the value will
