Stop dealing with weak, shared Wi-Fi passwords! This video is Part 1 of a deep-dive series where we build a complete, enterprise-grade *Certificate Authority (CA) from scratch* using HashiCorp Vault. We’ll integrate it with *FreeRADIUS* to implement *EAP-TLS* (mutual certificate authentication), the gold standard for securing your wireless network and eliminating the weakest link in security—the password. By the end, you'll have a fully working Proof-of-Concept where devices authenticate using unique digital certificates instead of passwords. ### What You Will Learn: * *EAP-TLS Security:* Understand why certificate-based authentication is the gold standard and how it removes the password attack surface. * *PKI Hierarchy:* Turn HashiCorp Vault into a proper two-tier Public Key Infrastructure (PKI) with a secured *Root CA* and Intermediate CA. * *Vault Setup:* Learn how to install, configure, and securely unseal the Vault server. * *Certificate Issuance:* Define Vault roles to restrict domain, key usage, and validity, then issue certificates for both your RADIUS server and client devices. * *Network Access Control:* Configure *FreeRADIUS* as the EAP-TLS gatekeeper to enforce policies based on client certificate contents. * *Real-World Test:* Configure a *UniFi Controller* and successfully connect a client device using the secure *PKCS#12* certificate bundle. ### Video Chapters: 00:00 Introduction & Project Overview (Why EAP-TLS?) 01:44 Understanding Certificate Authentication (EAP-TLS) 04:45 Introduction to HashiCorp Vault (Secrets Management) 07:56 Installing and Configuring Vault 13:09 Building Your Certificate Authority (Root & Intermediate CAs) 17:11 Creating Roles and Server Certificates (RADIUS) 20:08 Issuing Client Certificates 23:25 Setting Up FreeRADIUS 28:10 Configuring the UniFi Controller 29:29 Testing Client Connection (PKCS#12 & macOS) 31:40 Conclusion and What's Next (Automation) ### What’s Next? Automate Everything! The process shown in this video is manual to ensure a solid foundation. In Part 2, we will automate the entire certificate lifecycle—issuance and renewal—using *Vault Agent* and *AppRole* so the system scales to production without any manual intervention. ### Resources: All sample files for FreeRADIUS and Vault are in the GitHub repo. You can quickly build and configure Vault from CLI. * *Code & Configs:* [ ] * *HashiCorp Vault Documentation:* [ ] * *FreeRADIUS Documentation:* [ ] #eaptls #wpa3 #devops #pki #vault #freeradius #certificate #hashicorp #vault #vaultserver