Almost all EAP types in eduroam (with the exception of EAP-PWD) require a an X.509 server certificate with which the RADIUS server identifies itself to the end user before the user sends his credentials to the server.
...
In a generic web server context, server certificates are usually required to be procured by a commercial Certification Authority (CA) operator; self-made certificates createn create an "Untrusted Certificate" warning. It makes sense for browsers to have a pre-configured trust store with many well-known CAs because the user may browse to any website; and the operator of that website may have chosen any of those well-known CAs for his website. In an abstract notion, one can say: it is required to have many CAs in the list because the user device does not have all required information for certificate validation contained in its own setup; it misses the information "which CA did the server I am browsing to use to certify the genuinity of his website?".
...