Page History

...

1. if you have the required expertise: it it is suggested to set up a private CA exclusively to issue an appropriate IdP' IdP Server certificate for the eduroam RADIUS server
   1. Qualities a private CA possesses:
      1. A very long lifetime to prevent certificate rollover problems.
      2. Presence of Basic Constraints CA:TRUE per  RFC5280, section 4.2.1.9   to satisfy the required validation of the CA such that it can use it appropriately 
   2. The CA should issue only server certificates for your eduroam IdP server(s).
2. If you do not have expertise: consider making use of your NROs special-purpose CA, if one exists.
3. If none of these work for you:  a certificate from a commercial CA is a commonly used third option.

...