[ragmanii]

Took me forever to work it out, I am surprised no one else is doing it this way. I wanted my freeradius server running on my DD-WRT to sign certificates under my own custom CA certserver. My custom CA certserver is running under ubuntu and basicaly follws the directions from here: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
Once that is set up you should be able to do this:
on the DD-WRT machine:
Turn on free radius and set up all the correct parameters for your server cert. We will be using these so it has to be set up correctly.
#Open a shell to DD-WRT:
killall openssl
killall radiusd

cd /jffs/etc/freeradius/certs/
rm -Rf ./clients
rm *.pem
rm *.der
rm *.key
rm *.p12
rm *.pfx
rm index.*
rm serial*
rm *.csr
rm *.crt

#create the private key and CSR
openssl req -sha256 -new -x509 -keyout radius03ca.key -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
openssl req -new -key radius03ca.key -out radius03ca.csr -config ./ca.cnf

#switch to the CA cert server copy the radius03ca.csr to the certserver under the ca/csr directory - if you followed the web page above it is in /root/ca - if you didnt then you will need to change at least the first commands. I also had to create the csr directory under /root/ca
cd /root/ca
#sign the cert-This will ask for your CA password!
openssl ca -config openssl.cnf -extensions v3_ca -days 10375 -notext -md sha256 -in csr/radius03ca.csr -out certs/radius03ca.cert.pem
chmod 444 certs/radius03ca.cert.pem
#we need the root ca in the pem we put onto the dd-wrt server
cat certs/radius03ca.cert.pem certs/ca.cert.pem > certs/radius03ca-chain.cert.pem
chmod 444 certs/radius03ca-chain.cert.pem
# copy the radius03ca-chain.cert.pem and the radius03.cert.pem to the DD-WRT radius server under /jffs/etc/freeradius/certs and switch back to the DD-WRT shell
cd /jffs/etc/freeradius/certs/
cp radius03ca.cert.pem ca.pem
cp radius03ca.key ca.key
#Replace the xpextensions with one that supports subject alt names and URI so I can revoke when I want to. !!!You need to change these to your domain and DNS entries!!!-just the ones that say Example, not the keyusage!
echo -e "[ xpclient_ext]\nextendedKeyUsage = 1.3.6.1.5.5.7.3.2\ncrlDistributionPoints = URI:http://example.com/ca/main.crl\n\n[ xpserver_ext]\nsubjectKeyIdentifier = hash\nauthorityKeyIdentifier = keyid:always,issuer:always\nbasicConstraints = critical, CA:true, pathlen:0\ncrlDistributionPoints = URI:http://example.com/ca/main.crl\nextendedKeyUsage = 1.3.6.1.5.5.7.3.1\nsubjectAltName = DNS:Example1, DNS:Example2, IP:192.168.1.1\n" > xpextensions
touch index.txt
echo '01' > serial
openssl req -new -out server.csr -keyout server.key -config ./server.cnf
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
cp radius03ca-chain.cert.pem ca.pem
killall radiusd
radiusd -X -d /jffs/etc/freeradius

Thats it. You should be able to sign your certs and have it travel back to your root server. The radius command there dumps the data to the screen so if you just want to re-start the radius server without the text spew then just run radiusd -d /jffs/etc/freeradius
Some may ask why do this? This way anyone that comes over and I give a cert to can get to all my internal signed apps without having to keep importing certificates.
Last note: I have made extensive changes to my openssl.cnf over the years so these instructions may require a little tweaking, I have not tested it against the vanilla.
Tested and working with DD-WRT v3.0-r30016M.