Hi
As a possible hint since your question sounds similar to an issue I had:
I was looking to provide a server-side certificate to my clients from a public CA
but only allow clients to authenticate via EAP-TLS when presenting a cert from our
internal CA which avoids the misconfiguration to trust any certificate issued by the public CA.
Check the difference of CA_file (containing root CA cert of your internal CA), but set server cert
(including cert chain) inside certificate_file.