Hello! I am running FreeRADIUS 2.2.5 on Debian 8.7 (Jessie). The RADIUS server is using TTLS+PAP. I am trying to find a good way to authenticate the server to Windows clients. With macOS, Linux, Android etc., I am using a custom self signed CA certificate. On these devices it is possible to specify that this certificate is only usable for a specific SSID. However, for Windows I have found no way to accomplish this. To make it work, I have to install the CA certificate in the "Trusted Root CA" store. This is rather inconvenient. If I (against all odds) lose the private key, the attacker could use it to issue certificates for web pages, and the Windows clients would accept them. One of the options I have considered is make FreeRADIUS present multiple certificates simultaneously: an LE certificate for Windows and the self signed CA certficiate for other clients. As Windows clients already trust LE, they should also accept the server certificate. 1) Is it possible to use LE certificates with FreeRADIUS? 2) Is it possible to make the server present multiple certificates? The reason for wanting multiple certificates, is that a complete switch to LE would require reconfiguring all the non-Windows clients that use the CA certificate. Naturally, all thoughts concerning EAP and Windows are also welcome. Thanks in advance! -- Herman Øie Kolden Trondheim, Norway