hi, this question pops up every so often look at the mailing list history for previous discussions but summary is 1) its BCP for 802.1X to use a prvate CA - its more secure in that you control the CA and thus you control who gets certificates...so if a client can ONLY check the CA and not the CommonName, thats not an issue..) 2) if using private CA your RADIUS server can be directly signed - no intermediates - less data during 802.1X exchange 3) you are in control of destiny - YOU decide what your CA policy and server certificate policies are. want 5 years? fine. want 10 years (not advisable) fine. ..and more. however, using a private CA has its difficulties 1) clients need to have the CA on their device - use a profile tool! 2) you are operating a PKI/CA system - you need to know what you are doing, have policies, keep it secure , etc 3) you need to know what random things you need to add into the certs (fortunately plenty of other people are doing that work in the world of 802.1X and contributing to FreeRADIUS so eg the current example/demo certificate scripts make things that work your problem is PROBABLY that your CA/cert is MD5 - newer OSes wont like that. you need to be SHA1 or higher now. Windows Phone/Windows 8 need CRLDP to be present. at the end of the day, when it comes to the actual x509 data, there is NO difference between a private CA signd cert and a public CA signed cert for 802.1X alan