Hi, Is it possible to check EAP-TLS against multiple certificate chains, or bundle two chains together into the same pem file? We have a potential problem where all our certificate auth laptops have been using SHA1 for quite some time. Recently we upgraded our certificate authority to SHA256, so any laptops that request a new cert will get a SHA256. If I put a SHA256 root chain certificate in the EAP-TLS config then a SHA256 client can authenticate, but naturally SHA1 can not. If I leave the SHA1 root chain on the server, then the newer SHA256 clients can not authenticate. I am worried that one day I will come in to find half the clients have renewed to a SHA256 and can no longer auth. Is there anything I can do to allow both certificate types to authenticate during this transition period? In terms of config, in mods-enabled/eap, I have tls-config loanlaptops { private_key_file = ${confdir}/certs/loan_laptop_server.pem certificate_file = ${confdir}/certs/loan_laptop_server.pem ca_file = ${confdir}/certs/unikentrootCAchain.pem ...... } tls { # Point to the Loan Laptops TLS configuration tls = loanlaptops virtual_server = check-eap-tls } Yours Dave Hartburn