Ultimately, it is up to the CAF participant to determine which type of certificate is preferred. Since self-signed certificates are free, can be valid for up to 10 years, and help mitigate Rogue APs, CANARIE recommends them over commercial certificates.
Additional considerations:
- The impact of certificate type comes into play only during the first time you link that device to eduroam and NOT for each connection (or login). It is an infrequent event that a user may encounter on each of their devices, hence one extra dialog box once every few months/years on a Windows device may not be that burdensome.
- Additional material and a very comprehensive overview can be found here: https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-EAPServercertificateconsiderations
- Internationally, sites in Europe typically favour self-signed certificates