Replace a RADIUS Server Certificate

A RADIUS server certificate is presented to a RADIUS client by RSA RADIUS so that the client can verify the identity of the RADIUS server. You can use the Operations Console to replace the existing server certificate of a RADIUS Server with a different certificate. For example, you might prefer to assign a certificate that has your organization as its trusted root signer. RSA RADIUS does not replicate the server certificate. You must access each RADIUS server directly and perform the following procedure.

Note: The RADIUS server certificate and trusted root certificate used by the RADIUS server must be based upon the RSA algorithm.

Before you begin

  • You must be a Super Admin.

  • Make sure you have a keystore (.pfx) file that contains the new server certificate and the associated private key. This file should be in PKCS #12 file format and contain the replacement certificate and private key only. If the keystore contains more than one certificate, the wrong certificate may be used as the replacement server certificate.

  • Add a trusted root certificate to the system. Add the certificate used to sign the replacement server certificate. The signing certificate must be in DER format and have a .der extension. If the replacement certificate is self-signed, you do not need to add the signing certificate.For instructions, see Add a Trusted Root Certificate .


  1. On the primary instance Operations Console, click Deployment Configuration > RADIUS Servers.

  2. If prompted, enter your Security Console User ID and password, and click OK.

  3. Click the RADIUS server whose certificate you want to replace, and select Manage EAP Certificates from the context menu.

  4. In the Manage EAP Certificates page, click the Server Certificate tab.

  5. Under Replace Server Certificate, click Browse to locate the keystore file containing the replacement certificate and associated private key.

    You must select a keystore that is in PKCS #12 certificate store format, with a .pfx suffix.

  6. Enter the password for the keystore file containing the replacement certificate in the Keystore Password field.

  7. Click Save & Restart RADIUS Server.

    The RADIUS server must restart for the change to take effect.

  8. Repeat this procedure for each RSA RADIUS server in the deployment.