Just read this thread. Was not aware that enabling JFFS was a per-req for this service. Not like it says it in the help text or anything, but that might be a good thing to mention there. After enabling JFFS the certificate generated in a matter of seconds (I didn't have to have any additional media; i.e.-USB flash drive). Slayer, thanks for the info, the rest of you DD-WRTer's thanks for the additional comments, and Sash thanks for the lack of information, the updates on what will not be supported and what works in your environments.
All contributed to getting my issue resolved. This is a good software platform and I will to continue to support it.
I found that every time I change the shared key everything works as expected BUT if I reboot nothing will work till I change the shared key once again. Is this possible to be corrected in command line?
I had similar issues on an ASUS RT-AC66U. In several cases, even after performing resets, the certificate would not get generated and I would see the "generating 0 this may take a long time" forever (waited overnight at one point).
I was able to finally get the certificate to generate after I did a firmware upgrade to the same firmware already on the router. I kept my settings for the upgrade. When my router came back it had the message "certificate generation done"
In some cases, on reboot, the RADIUS server does not start. Go to the GUI->Services->FreeRadius and Apply Settings. This seems to starts the service.
Additionally, if you want to debug the RADIUS server ssh into the router and go to /jffs/etc/freeradius. You can run radiusd -d /jffs/etc/freeradius -X to validate that the service can actually start.
Lastly, in some cases if you type in new cert information in the GUI I noticed it did not get placed in the server.pem file. I hit gen cert again. You can validate that your cert info is in the server.pem by doing cat /jffs/etc/freeradius/certs/server.pem. The first time I found I only had the default cert info that dd-wrt ships with that I no longer wanted to use. Thats when I hit gen cert again with my new ceritificate info and validated that the server.pem file was updated.