Certificate Management
Configure TLS certificates for secure authentication
Why Certificates Matter
Certificates are used throughout Warden for secure communication:
- EAP-TLS/PEAP - Server certificate validates Warden to clients
- LDAPS - Secure connections to LDAP identity providers
- Web Interface - HTTPS for the admin portal
- Client Certificates - Optional authentication for admin access
Without proper certificates, clients may reject connections or fall back to insecure communication methods.
Certificate Types in Warden
RADIUS/EAP Server Certificate
Presented to clients during EAP authentication (802.1X). Clients verify this certificate to ensure they're talking to the real RADIUS server, not an attacker.
Web Interface Certificate
HTTPS certificate for the Warden admin portal. Your browser verifies this to ensure secure access to the management interface.
CA Certificates
Certificate Authority certs that Warden trusts. Used to validate connections to LDAPS servers and verify client certificates.
Generating Certificates
You have several options for certificates:
Option 1: Self-Signed (Testing/Internal)
Warden can generate self-signed certificates. These work fine technically but require configuring clients to trust them explicitly.
- Go to Settings > Certificates
- Click Generate Self-Signed Certificate
- Enter the certificate details (Common Name should match your server name)
- Set validity period (1-5 years typical)
- Click Generate
For 802.1X: Self-signed certificates require distributing the CA certificate to all client devices. This is manageable with MDM but tedious for BYOD environments.
Option 2: Internal CA (Enterprise)
If you have an internal Certificate Authority (like Microsoft AD CS), request a certificate from it. Clients that trust your CA will automatically trust Warden.
- Generate a Certificate Signing Request (CSR) in Warden
- Submit the CSR to your CA
- Import the signed certificate back into Warden
Option 3: Let's Encrypt (Free, Automatic)
Let's Encrypt provides free, trusted certificates that automatically renew. During setup, you can choose to use Let's Encrypt for your web interface certificate.
Requirements for Let's Encrypt
- Public domain name - Must resolve to your Warden server
- Port 80 accessible - For HTTP-01 challenge verification
- Internet access - Warden must reach Let's Encrypt servers
Setup During Installation
- During the Setup Wizard, enter your hostname (e.g., warden.yourcompany.com)
- Select Let's Encrypt as the certificate option
- Warden will automatically request and install the certificate
- Certificate renews automatically before expiration
Automatic renewal: Let's Encrypt certificates are valid for 90 days. Warden automatically renews them 30 days before expiration - no manual intervention needed.
Option 4: Other Public CAs (DigiCert, Sectigo, etc.)
You can also purchase certificates from commercial CAs. These require manual renewal but may be preferred in enterprise environments with existing CA relationships.
RADIUS note: Public CA certificates aren't typically used for EAP/802.1X because most supplicants don't validate RADIUS server certificates against the public CA store. Use internal or self-signed for RADIUS.
Importing Certificates
- Go to Settings > Certificates
- Click Import Certificate
- Upload the certificate file (PEM, CRT, or PFX format)
- If PFX, enter the password
- Upload the private key if separate from certificate
- Select the certificate purpose (RADIUS, Web, or both)
- Click Import
Supported Formats
Certificate Chain
For clients to trust your certificate, they need the full chain from your certificate up to a trusted root CA. The chain typically looks like:
When importing, include intermediate certificates in the chain. Root certificates should already be trusted by clients.
Client Certificate Authentication
For high-security environments, Warden can require client certificates for admin portal access. This provides mutual TLS (mTLS) authentication.
Setting Up mTLS
- Generate or obtain client certificates for each admin
- Import the issuing CA certificate into Warden's trust store
- Enable "Require Client Certificate" in portal settings
- Install client certificates in admin browsers
Fallback available: You can enable client certs as an alternative to username/password rather than a requirement. This lets admins use either method.
Certificate Expiration
Certificates expire! When they do, authentication fails. Warden helps you stay ahead:
- Dashboard shows certificate expiration status
- Email alerts before certificates expire (configure in Settings)
- Expired certificates are highlighted in the certificate list
Best Practices
- Set calendar reminders for 30 days before expiration
- Plan certificate renewals during maintenance windows
- Test new certificates before deploying to production
- Keep the old certificate available for rollback
Troubleshooting
Clients reject the certificate
- Check that the certificate chain is complete
- Verify clients trust the CA that issued the certificate
- Ensure the certificate Common Name matches expected hostname
- Check that the certificate hasn't expired
"Certificate/key mismatch"
- The private key must match the certificate's public key
- If you regenerated the CSR, you need a new certificate
- Check you're using the correct key file
LDAPS connection fails
- Import the LDAP server's CA certificate into Warden's trust store
- Verify the certificate hostname matches what you're connecting to
- Check if the LDAP server's certificate has expired