- # This configuration entry should be deleted
- # once the server is running in a normal
- # configuration. It is here ONLY to make
- # initial deployments easier.
+ # This command creates the initial "snake oil"
+ # certificates when the server is run as root,
+ # and via "radiusd -X".
+ #
+ # As of 2.1.11, it *also* checks the server
+ # certificate for validity, including expiration.
+ # This means that radiusd will refuse to start
+ # when the certificate has expired. The alternative
+ # is to have the 802.1X clients refuse to connect
+ # when they discover the certificate has expired.
+ #
+ # Debugging client issues is hard, so it's better
+ # for the server to print out an error message,
+ # and refuse to start.