Skip to content
Setup & requirements

Certificates & PKI

Certificate-based 802.1X and secure RADIUS transport both depend on certificates that the organization manages and EntryPoint trusts. This page describes what each certificate is for, the format it must be in, and where it is held. It applies to the EAP-TLS variants and to RadSec; EAP-PEAP needs only the RADIUS server certificate.

All certificates uploaded to EntryPoint are in PEM format (Base64-encoded). Only TLS 1.2 is used for EAP-TLS and RadSec; TLS 1.0, 1.1, and 1.3 are not used.

The RADIUS server certificate secures the EAP conversation between clients and the service. It is required for both EAP-PEAP and EAP-TLS, and the organization chooses one of two options per context.

OptionWhat it isWhat the organization provides
Bring your own (BYOC)A certificate from a public or private CAThe full chain (root, issuing, and server certificate) in one PEM file, and distribution of the root and issuing CA to client devices so they trust it
Built-inA certificate managed by EntryPointNothing to upload; clients must trust the EntryPoint RADIUS server

With BYOC the certificate may come from a public CA or from the organization’s own PKI. With either option, the client devices must trust the chain, or authentication will fail at the TLS handshake.

EAP-TLS validates the client certificate each device presents. For that, the issuing authorities are uploaded to the context as trusted CAs:

  • The root CA and issuing CA certificates are uploaded under the context’s EAP-TLS settings, in PEM format.
  • The chain must be valid and trusted across all client devices.
  • The certificates may be issued by an internal PKI (for example Active Directory Certificate Services) or an external CA. They must comply with 802.1X certificate standards.

Each trusted CA shows its issuer and expiry in the portal so administrators can manage the lifecycle and replace certificates before they lapse.

A Certificate Revocation List (CRL) URL is configured so EntryPoint can confirm that a presented client certificate has not been revoked. Client devices and the RADIUS service must be able to reach the CRL endpoint. Revocation checking is what lets a lost or decommissioned device be cut off without reissuing everyone else’s certificates.

For EAP-TLS, each device carries a client certificate. These are distributed through Microsoft Intune, Group Policy, or another MDM, and must match the authentication policy configured on the context. The certificate’s subject identifies either the device or the user, depending on the variant.

Next