Certificates & PKI
Certificate-based 802.1X and secure RADIUS transport both depend on certificates that the organization manages and EntryPoint trusts. This page describes what each certificate is for, the format it must be in, and where it is held. It applies to the EAP-TLS variants and to RadSec; EAP-PEAP needs only the RADIUS server certificate.
All certificates uploaded to EntryPoint are in PEM format (Base64-encoded). Only TLS 1.2 is used for EAP-TLS and RadSec; TLS 1.0, 1.1, and 1.3 are not used.
The RADIUS server certificate
Section titled “The RADIUS server certificate”The RADIUS server certificate secures the EAP conversation between clients and the service. It is required for both EAP-PEAP and EAP-TLS, and the organization chooses one of two options per context.
| Option | What it is | What the organization provides |
|---|---|---|
| Bring your own (BYOC) | A certificate from a public or private CA | The full chain (root, issuing, and server certificate) in one PEM file, and distribution of the root and issuing CA to client devices so they trust it |
| Built-in | A certificate managed by EntryPoint | Nothing to upload; clients must trust the EntryPoint RADIUS server |
With BYOC the certificate may come from a public CA or from the organization’s own PKI. With either option, the client devices must trust the chain, or authentication will fail at the TLS handshake.
Trusted CA certificates for EAP-TLS
Section titled “Trusted CA certificates for EAP-TLS”EAP-TLS validates the client certificate each device presents. For that, the issuing authorities are uploaded to the context as trusted CAs:
- The root CA and issuing CA certificates are uploaded under the context’s EAP-TLS settings, in PEM format.
- The chain must be valid and trusted across all client devices.
- The certificates may be issued by an internal PKI (for example Active Directory Certificate Services) or an external CA. They must comply with 802.1X certificate standards.
Each trusted CA shows its issuer and expiry in the portal so administrators can manage the lifecycle and replace certificates before they lapse.
Certificate revocation
Section titled “Certificate revocation”A Certificate Revocation List (CRL) URL is configured so EntryPoint can confirm that a presented client certificate has not been revoked. Client devices and the RADIUS service must be able to reach the CRL endpoint. Revocation checking is what lets a lost or decommissioned device be cut off without reissuing everyone else’s certificates.
Deploying client certificates
Section titled “Deploying client certificates”For EAP-TLS, each device carries a client certificate. These are distributed through Microsoft Intune, Group Policy, or another MDM, and must match the authentication policy configured on the context. The certificate’s subject identifies either the device or the user, depending on the variant.
Related sections
Section titled “Related sections”- RADIUS clients & RadSec: pointing network equipment at the context, and securing transport.
- Entra connection: resolving identity and group membership for EAP-TLS.
- EAP-TLS — Device certificate and EAP-TLS with Entra.