Please correct me if I'm wrong, but would security not be reduced when using public CAs, in cases where client certificates are not validated?
Let's say we want to prevent a domain-joined station from attempting to authenticate to a rogue AP which is broadcasting our SSID, but we are only using password authentication on the clients. Let's say the attacker uses a valid server ceritifcate provided by the same CA as the one in our trusted list.
Would the client not simply connect to the rogue AP if it's nearby, even with certificate validation enabled, allowing the attacker to sniff the NetNTLM hash, potentially allowing the original password to be cracked offline given enough resources?