diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 843862089..cb032d2fc 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -20,7 +20,7 @@
     <field>
         <id>eap.ca</id>
         <label>Root Certificate</label>
-        <type>dropdown</type>
+        <type>select_multiple</type>
         <help>Choose the Root CA. This CA will be trusted to issue client certificates for authentication.</help>
     </field>
     <field>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index c44c58ed3..991e9bd52 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -31,6 +31,7 @@
         <ca type="CertificateField">
             <Type>ca</Type>
             <Required>N</Required>
+            <multiple>Y</multiple>
         </ca>
         <certificate type="CertificateField">
             <Type>cert</Type>
diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
index efb5eabd0..a55e822d0 100755
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@@ -80,17 +80,21 @@ if (isset($configObj->OPNsense->freeradius)) {
         $cert_refid = (string)$find_cert->ca;
         // if eap has a ca-certificate attached, search for its contents
         if ($cert_refid != "") {
-            foreach ($configObj->ca as $ca) {
-                if ($cert_refid == (string)$ca->refid) {
-                    // generate cert pem file
-                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
-                        "\r",
-                        "",
-                        base64_decode((string)$ca->crt)
-                    )));
-
-                    $pem_content .= "\n";
-                    $ca_pem_content .= $pem_content;
+            // multiple comma-separated refid values are possible
+            $cert_refids = explode(',', $cert_refid);
+            foreach ($cert_refids as $current_refid) {
+                foreach ($configObj->ca as $ca) {
+                    if ($current_refid == (string)$ca->refid) {
+                        // generate cert pem file
+                        $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                            "\r",
+                            "",
+                            base64_decode((string)$ca->crt)
+                        )));
+    
+                        $pem_content .= "\n";
+                        $ca_pem_content .= $pem_content;
+                    }
                 }
             }
         }