...
- if you have the required expertise: it it is suggested to set up a private CA exclusively to issue an appropriate IdP' IdP Server certificate for the eduroam RADIUS server
- Qualities a private CA possesses:
- A very long lifetime to prevent certificate rollover problems.
- Presence of Basic Constraints CA:TRUE per RFC5280, section 4.2.1.9 to satisfy the required validation of the CA such that it can use it appropriately
- The CA should issue only server certificates for your eduroam IdP server(s).
- Qualities a private CA possesses:
- If you do not have expertise: consider making use of your NROs special-purpose CA, if one exists.
- If none of these work for you: a certificate from a commercial CA is a commonly used third option.
...