Managing Certificates Used with NPS

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

If you deploy a certificate-based authentication method, such as EAP-TLS, PEAP-TLS, or PEAP-MS-CHAP v2, you must enroll a server certificate to all of your NPS servers. The server certificate must:

• Meet the minimum server certificate requirements as described in Certificate Requirements for PEAP and EAP at https://go.microsoft.com/fwlink/?LinkID=101491.

• Be issued by a certification authority (CA) that is trusted by client computers. A CA is trusted when its certificate exists in the Trusted Root Certification Authorities certificate store for the current user and local computer.

The following objectives assist in managing NPS server certificates in deployments where the trusted root CA is a third-party CA, such as Verisign, or is a CA that you have deployed for your public key infrastructure (PKI) by using Active Directory Certificate Services (AD CS) in Windows Server 2008.

The following objectives are part of managing NPS server certificates:

• Change the Cached TLS Handle Expiry

• Obtain the SHA-1 Hash of a Trusted Root CA Certificate