...
Another factor to consider when making the decision private vs. commercial CA is that of size and length of the EAP conversation during every login: with a private CA, you will be able to construct a certificate chain without intermediary CA certificates; requiring less bytes to be transmitted inside the EAP conversation (see Consideration 3, below). This results in fewer EAP round-trips and thus a faster authentication.
As a general recommendationRecommendations:
- if you have the required expertise: it is suggested to set up a private CA exclusively to issue an appropriate IdP' Server certificate for the eduroam RADIUS server
- Qualities a private CA possesses:
- A very long lifetime to prevent certificate rollover problems.
- Presence of Basic Constraints CA:TRUE per RFC5280, section 4.2.1.9 to satisfy the required validation of the CA such that it can use it appropriately
- The CA should issue only server certificates for your eduroam IdP server(s).
- Qualities a private CA possesses:
- If you do not have expertise: consider making use of your NROs special-purpose CA, if one exists.
- If none of these work for you: a certificate from a commercial CA is a commonly used third option.
...