For applications based on SSL/TLS (e.g. EAP/802.1X, HTTPS or RADSEC), the SSL (server) certificate together with the private key and intermediate level CA certificate(s) are loaded into the device as a PKCS#12 container.
The remote devices establishing a connection only have to send their own device certificates to the device. The certificate chain is checked for validity in the device.
