Maybe I have asked my questions improperly, so allow me to rephrase.
How do I avoid having to buy 1 certificate per mikrotik when running Hotspot?
To avoid the “unverified or invalid” certificate message, is there a post explaining or a wiki that discusses this?
Am I incorrect in using a certificate on a RADIUS/AAA server to keep username password and authentications secure?
I could use a hand, as these are my weak points when it comes to the Hotspot on mikrotik ROS and my ability to search is returning content from 2006 or 2.9.x ros features.
You need certificate for all routers as long as you use the same hostname on all of them for the Hotspot.
This is relatively easily done by either using the same IP space on every Hotspot network, or by using a loopback address (create a bridge, add no ports to it, and assign it an IP address) and implementing the same loopback on every Hotspot router.
For example, make a loopback on every router that runs Hotspots for you and assign it 10.1.1.1/32. Then map 10.1.1.1 to hotspot.example.com on all DNS servers that are relevant (probably a static DNS entry on the routers themselves, and also on the DNS server for your domain). Set the domain-name on all Hotspot server profiles to hotspot.example.com, set the IP address to 10.1.1.1, and buy a certificate for hotspot.example.com.
You do need a certificate for any external servers you use, as usual.
You do not need a certificate for RADIUS. RADIUS uses its own encryption mechanisms, and does not utilize SSL (and couldn’t - RADIUS uses single UDP packets that aren’t part of a negotiated session, so SSL/TLS wouldn’t work for that). If you need very strong encryption build VPN tunnels (such as IPsec) between sites and run RADIUS via the VPN.
I will use 1 for all mikrotiks using the same hotspot dns name.
I will use 1 for the website (for the devices with Remote login page)
I will use 1 for the RADIUS/AAA as it has User Account self Care on it.
your karma point was awarded, and thank you again.