...
eduroam installers will need to be configured with a server certificate trust (i.e. a root CA and a server name). To support the partitionability of the RADIUS service, each eduroam NRO gets its own self-signed root. This means approx. 200 self-signed CA certificates and server certificates need to be provisioned, all served by the RADIUS servers. The code to generate both the CA hierarchy and the FreeRADIUS configuration snippets to activate all those distinct personalities is available on GitHub.
The script will be executed by the dev team during initial installation, directly on one of the RADIUS servers so that the server certificate private keys are immediately on the right host and need no copying.
In principle, one calls the script addnro.py with the ISO country code of a eduroam NRO and a URL to the future CRL Distribution Point, i.e.
...