I definitely echo the comment about private CAs for your RADIUS. Control your
own destiny. If your users are getting onboarded, then private CA chains
should get installed as part of the process, as well. We learned this from a
swap out from a GoDaddy chain that was being deprecated before
We still use SHA2 256 bit certificates with a 2048 length. When I was doing
research on this a few years ago, I believe there was extra processing power
required once you went above 256bit (requires an additional computation). I
could be completely wrong about that, but we have had mass
Unfortunately, for various reasons, we have had to do this too many times.
Our policy is for the configuration to trust the certificate chain, rather than
the server certificate. That allows you to update the server certificate
without breaking trust.
It you know in advance your new