Can I use two or more freeradius server certificates for the same virtual site?

Brian Julin BJulin at
Thu Nov 1 16:29:54 CET 2018

Alan DeKok <aland at> wrote:

> client: let's do TLS!
> server: Sure, here's my CA and server cert!
> client:  Uh... not what I wanted, goodbye!
> The only way to signal which CA you want is by some other method.  i.e. changing the outer identities, as Christian suggested.

Just a note for edification/general interest, in the case of non-Windows IPSEC, there are modes where
clients can send requests for desired CAs over the IKE protocol.  Doesn't help for WiFi unless maybe if
you are doing Open+IPSEC setups.

(Windows can do that mode too but the client doesn't do sufficient security checks in that mode,
you have to tunnel PEAP to get CN validation)

More information about the Freeradius-Users mailing list