Contents

Issuing Certificates

Quick Tour > Issuing Certificates

---

---

This section describes the procedures for issuing and importing (applying) electronic certificates (certificates) used in EAP‑TLS (certificate‑based authentication) for 802.1X Authentication.

About Certificates

This product includes a function that acts as a Certification Authority (CA) to issue electronic certificates (Local CA function). The following Certificates can be issued.

• Root CA Certificate (CA Certificate)
  
• Certificate Distribution Site Certificate (Server Certificate for Certificate Distribution Site)
  
• Server Certificate (RADIUS Server Certificate)
  
• Client Certificate
  

In EAP‑TLS (certificate‑based authentication) for 802.1X Authentication, Certificates are required for the RADIUS server (AT‑RADgate) and for the Endpoints used by users.

Note

Certificates issued by AT-RADgate are supported only in configurations where AT-RADgate is used as a RADIUS Server.

The Certificates required for AT‑RADgate and for the Endpoints used by users are as follows.

• AT-RADgate
  
  • CA Certificate
    
  • Server Certificate
    
  　
  
• Endpoints used by users
  
  • CA Certificate
    
  • Client Certificate
    

Note

The CA Certificate used by AT‑RADgate and by the users’ Endpoints is the same.

Note

The Server Certificate and the Client Certificate are signed by the CA of AT‑RADgate.

Issuing and Importing (Applying) Certificates

As an example, this section performs Issuing and Importing (Applying) Certificates using the following procedure.

1. Create Certificate Authority
   
2. Configuring the Certificate Profiles for the Server Certificate and the Client Certificate
   
3. Importing the Root CA (CA Certificate)
   
4. Issuing Server Certificates
   
5. Policy Management > Adding (Registering) Users
   
6. Issuing Client Certificates
   
7. Notifying the Client Certificate and CA Certificate Distribution Site
   
8. Downloading the Client Certificate and CA Certificate
   
9. When there is no valid SMTP Server configuration
   

Note

The Certificate profile configuration in Step 2 is optional.

Note

In Step 6., set whether to use a password when issuing a Client Certificate. Configure the settings according to the device on which the Client Certificate is imported.

Note

Client Certificates issued with AT-RADgate 1.2.0 are equivalent to the Not set (no password) setting.
If multiple entries are selected and “Set password” is specified when issuing Client Certificates, the same password is used for the Client Certificates issued for all selected entries.

Note

In Step 7, the Client Certificate and the CA Certificate distribution site URL is sent by email, but it is assumed that a valid SMTP Server is already configured in the System Management > Email Settings page as a prerequisite. If no valid SMTP server is configured, skip Step 7 and Step 8, and proceed to Step 9.

1. Create Certificate Authority

CA creation is performed in the CA Management page.
Click the "Create" button.

You can configure the Common Name (CN), Organization (O), and other fields to be included in the Certificate, but here only the required field, Common Name (CN), is configured. The initial settings for the public key algorithm ECC P-384, the signature hash algorithm SHA-384, and the validity period of 3650 days are used as-is.
Configure the settings, then click the “Save” button followed by the “OK” button. Other items that are not configured remain blank.

　

The CA Management page changes to the following display.


When the CA is created, the following Certificates are issued. The two Certificates—the Root CA (CA Certificate) and the Certificate Distribution Site (Server Certificate for the Cert Distribution Site)—can be viewed in the CA Management > About CA page.

• Root CA (CA Certificate)
  
• Certificate Distribution Site Certificate (Server Certificate for Certificate Distribution Site)
  

　

Note that the Certificate for the Certificate Distribution Site is not used here.

2. Configuring the Certificate Profiles for the Server Certificate and the Client Certificate

In the CA Management page, you can configure the Certificate profiles for the Server Certificate and the Client Certificate in the Certificate profile tab, but this configuration is optional. By configuring these settings, fields such as Country (C) and Organization (O) are reflected when the Certificate is issued. Since the Certificate profile is not configured here, the initial settings—public key algorithm ECC P‑384, signature hash algorithm SHA‑384, and a validity period of 3650 days—are used (other fields remain blank).

3. Importing the Root CA (CA Certificate)

The Root CA (CA Certificate) issued when the CA was created in Step 1 is imported (applied) to AT‑RADgate (the RADIUS Server).
This is done in the “Trusted CA Certificate” section of the RADIUS Management > General page.

Click the “Import” button in “Trusted CA Certificate”, select “Use local CA certificate”, and then click the “OK” button.






“AT‑RADgate‑CA” is displayed in “Trusted CA Certificate”.

4. Issuing Server Certificates

When the CA is created in Step 1, the Server Certificate (RADIUS Server Certificate) can be issued.
This is done in the “Server Certificate” section of the System Management > Network Settings page.

Click the “Issue” button displayed at the right end of “RADIUS” shown under “Role” in “Server Certificate”.

The Issue Certificate dialog is displayed.
Here, only the required field, Common Name (CN), is configured, and the “Issue” button followed by the “OK” button is clicked (the “Subject Alternative Name (SAN)” field remains blank).

　


The Common Name (CN) of “RADIUS” changes to “AT‑RADgate‑server‑certificate”.


Issuing a Server Certificate displays the issued Certificate on the CA Management page under the Certificate tab.

5. Policy Management / Adding (Registering) Users

Client Certificates are issued on the CA Management page, under the User Certificate Issue Tool tab. However, the entries displayed in the User Cert Issue Tool are the users created on the Policy Management > User page. Therefore, add (register) users on the Policy Management > User page.

When you click the "Add" button, the Add User dialog appears.



Here, configure Login Name, Password, and Email Address, then click the "Save" button followed by the "OK" button (leave the other fields blank).
In the distribution process of the CA Management page under the User Cert Issue Tool, a notification email containing the URL of the Cert distribution site is sent to the Email Address configured here.

　


"user1" appears in Login Name.

6. Issuing Client Certificates

On the CA Management page, the User Cert Issue Tool tab displays the entry added (registered) in Step 5, and a Client Certificate is issued for that entry.

Click the menu button at the right end of the displayed entry, and then click the “Issue” button.

The Issue Certificate dialog is displayed.

Here, set an optional password for the Client Certificate. Select “Set password” for “Certificate password”, enter a password in “Password”, and then click the “Issue” → “OK” buttons.


　


When a Client Certificate is issued, the issued Certificate appears on the CA Management page under the Certificate tab.

7. Notifying the Client Certificate and CA Certificate Distribution Site

Note

If there is no valid SMTP Server configuration in the items on the System Management > Email Settings page, proceed to Step 9.

When you check the checkbox to the left of Login Name for the entry displayed on the CA Management page under the User Cert Issue Tool tab, the “Distribute” button becomes available.



When you click the “Distribute” button followed by the “OK” button, an Email containing the URL of the Cert distribution Site is sent to the Email Address configured in Email Address.




When the “Sending emails” message disappears, the Email has been successfully sent.

8. Downloading the Client Certificate and CA Certificate

The URL of the Cert Distribution Site is sent to the configured Email Address with content similar to the following.
You can access the Cert Distribution Site (AT-RADgate Download Certificate) from the following link.

https://(AT-RADgate's IP Address):9000

When you click the above link, a page such as the one shown below appears. Here, you download the CA Certificate and the Client Certificate.

◼ Downloading CA Certificate
Click the "Download" button for the CA Certificate to download the CA Certificate. The CA Certificate is in PEM format.

◼ Downloading Client Certificate
You need to login to download the Client Certificate. When you click the "Login" button for the Client Certificate, the Login page is displayed. Enter the Login Name and Password that were added (registered) in the User policy, and then click the "Login" button.
When the login is successful, the Client Certificate is displayed. This Login Name and Password are not the “User Name” and “Password” used to log in to the AT‑RADgate settings page, but the User’s “Login Name” and “Password” that were added (registered) on the Policy Management > User page.





There is a menu button on the right side of the Client Certificate. Select “Download” to download the Client Certificate. The Client Certificate is in PKCS#12 format.

The User Name and Password for Login are required to download the Client Certificate. However, if you do not need to log in again after downloading the Client Certificate, you can delete the user that was added (registered) on the Policy Management > User page. However, if you delete the corresponding User on the Policy Management > User page before logging in on this page, you cannot login.

Import (apply) the two downloaded Certificates (the CA Certificate and the Client Certificate) to the device used by the User. Since a password is set for the Client Certificate in this case, the password configured in Step 6. is required when importing (applying) it. Refer to the device’s manual for the import (application) procedure.

The issuance and import (application) of Certificates for AT-RADgate and the Endpoints used by Users are completed.

9. When there is no valid SMTP Server configuration

If there is no valid SMTP Server configuration in the items on the System Management > Email Settings page, the two Certificates (the CA Certificate and the Client Certificate) imported (applied) to the Endpoints used by Users are downloaded from AT-RADgate.

The CA Certificate is downloaded on the CA Management > About CA page.

The Client Certificate is downloaded on the CA Management page under the Certificate tab.

Note

After issuing the Client Certificate, the Client Certificate can be downloaded even if the User added (registered) on the Policy Management > User page is deleted.

Import (apply) the two downloaded Certificates (the CA Certificate and the Client Certificate) to the device used by the User. Since a password is set for the Client Certificate in this case, the password configured in Step 6. is required when importing (applying) it. Refer to the device’s manual for the import (application) procedure.

The issuance and import (application) of Certificates for AT-RADgate and the Endpoints used by Users are completed.

---

(C) 2026 Allied Telesis, Inc. All rights reserved.

C613-04220-00 Rev A

02 Apr 2026 08:03