EAPoL certificates used to specify a certificate file which could include multiple entries (in the file itself, not in the config).
With the move to PKI, this is no longer possible.
Similar issue was noted with OpenVPN and fixed in T4485 see also this forum post: https://forum.vyos.io/t/using-multi-certificate-certificate-file-with-pki-and-openvpn/9043
It might be worth thinking whether there are any other areas this may affect. Given there are at least these two, there could be more.
Good point, I'll try and look into this and see if it can be handled everywhere the new PKI nodes are used.
Is there any kind of ETA on this? It hasn't moved in a few months, and it is preventing me from being able to upgrade. I understand this probably isn't a huge priority, but an ETA would be nice.
For eapol specifically, if your use case involves only a single chain (1 root CA + 1 or more intermediate CAs), then my fix from T4245 should do the trick. You can add each root/intermediate CA to the PKI and then set eapol to the leaf intermediate CA. When the wpa_supplicant configuration is generated, vyos will add the intermediate CA and all of its parents to the .crt file.
(This does not address the use case of having multiple independent chains (multiple root CAs) though.)