Hi,
??? You can do that when using the same server CN. On clients configure to trust your CA and the one CN of server. Multiple server CNs is what the original requester wanted to avoid - and wildcard CN entries can be problematic
Multiple server CN is what the OP requested to avoid because he wanted to roam between sites with a single config and he includes the server CN in that config (at least that's my understanding). What I'm pointing out is that you can still achieve roaming with a single config even if your server don't have the same CN. Apple clients allow to lock on the cert issuer instead of the cert itself and so does wpa_supplicant. I can't speak for every EAP-TLS client of course, but this seems to be a pretty common option. Cheers, Sylvain