'bad key' after changing SSL cert

[Shawn Lebbon]

Renewed SSL certificate and now getting 'bad key' error in log from all radius clients.  I verified that the client radius key is correct.  a portion of the log is here:

27.01.2021 11:22:03.797 - EAP-PEAP Authentication commencing for user 'username' (Windows User) [3 (4)]

27.01.2021 11:22:03.797 - RadAuth req. from : 10.10.10.60:57047 [UDP] caused an error.

 Error            : Bad Key. [74302]

 Error Timestamp  : 27.01.2021 11:22:03.797

 Size             : 507 / 507

 Identifier       : 4

 Attributes       : 

 Framed-MTU = 1400

 State = ff102fd8a7dce1754baafcb98c3710a3

 NAS-Port-Type = 19

 Called-Station-Id = AC-17-C8-02-3F-D4:SSID

 Connect-Info = CONNECT 11Mbps 802.11b

 Calling-Station-Id = 00-00-00-00-00-02

 NAS-IP-Address = 6.4.74.244

 User-Name = username

[Yasin KAPLAN]

Hi,

Have you set "Private key is exportable" option while importing the certificate?

Best regards,

Yasin KAPLAN

[Shawn Lebbon]

I had originally not made the certificate exportable but actually picked up on that reviewing the configuration.  I've since fixed that. but it's still not working with the same error.  

After re-generating the certificate, it is now exportable, but I'm still getting the same error; even after restarting the service.  Are there any other certificate requirements I may be missing?  The certificate is a public issued from godaddy, 2048 bit, sha256.  the prior one we used for the last 2 years was the same, so i don't expect an issue there.  I'm still on LT v5.5.0 I'll look at trying to update to latest patch as well...

[Yasin KAPLAN]

Hi,

I recommend you to export current certificate with its private key (in .pfx format) and delete all instances of the new and old certificates from Windows Certificate store. Import the exported certificate with "Private key exportable" option and set this certificate as server certificate in TekRADIUS and try again.

Best regards,

Yasin KAPLAN

[Shawn Lebbon]

I have done that with no success.  I made sure to restart the service and exit the manager application in-between steps.  I did note that while the valid certificate was deleted from the cert store and the tekradius settings were selecting an old expired self-signed cert we had used 2 years ago in testing, I did not receive the Bad Key error.  (of course then wireless client devices would get certificate errors).  But the connection and 'test radius connection' tests (which ignore certificate validation) worked with the self-signed, but immediately fail again when switching back to the now newly-re-imported 'valid' certificate.  It definitely disappeared from the dropdown list in between and i removed all copies from the cert store.  Windows seems happy with the certificate, shows the private key and shows it valid.

[Yasin KAPLAN]

How did you generate certificate signing request for the new certificate?

[Shawn Lebbon]

I had generated the CSR through certmgr GUI in Server 2016.  I must have forgotten something in the last few years since we last changed the certificate, because I did it the same way back then successfully, (I was careful to use 'legacy' not CNG mode this time) but I must have still had some other attribute or setting wrong.  I switched to using powershell and the certreq command and have re-issued the cert again but now with success!  

Once again I'm grateful to your speedy replies because it helped me navigate the correct course to find the proper resolution.

[Yasin KAPLAN]

You're welcome. I recommend you to use TekCERT for certificate management; https://www.kaplansoft.com/tekcert/