Export (0) Print
Expand All

Certificate Requirements for PEAP and EAP

Applies To: Windows Server 2008

Certificate requirements

All certificates that are used for network access authentication with EAP-TLS and PEAP must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer-Transport Level Security (SSL/TLS). Both client and server certificates have additional requirements.

Minimum server certificate requirements

Clients can be configured to validate server certificates by using the Validate server certificate option. With PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS as the authentication method, the client accepts the authentication attempt of the server when the certificate meets the following requirements:

  • The Subject name contains a value. If you issue a certificate to your NPS server that has a blank Subject, the certificate is not available to authenticate your NPS server. To configure the certificate template with a Subject name:

    1. Open Certificate Templates.

    2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

    3. Click the Subject Name tab, and then click Build from this Active Directory information.

    4. In Subject name format, select a value other than None.

  • The computer certificate on the server chains to a trusted root CA and does not fail any of the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy.

  • The NPS or VPN server computer certificate is configured with the Server Authentication purpose in EKU extensions (the object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1).

  • The server certificate is configured with a required algorithm value of RSA. To configure the required cryptography setting:

    1. Open Certificate Templates.

    2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

    3. Click the Cryptography tab. In Algorithm name, click RSA. Ensure that Minimum key size is set to 2048.

  • The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server. To configure the certificate template with the DNS name of the enrolling server:

    1. Open Certificate Templates.

    2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

    3. Click the Subject Name tab, and then click Build from this Active Directory information.

    4. In Include this information in alternate subject name, select DNS name.

With PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate store, with the following exceptions:

  • Certificates that do not contain the Server Authentication purpose in EKU extensions are not displayed.

  • Certificates that do not contain a Subject name are not displayed.

  • Registry-based and smart card-logon certificates are not displayed.

Minimum client certificate requirements

With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:

  • The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory® Domain Services (AD DS).

  • The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy nor the Certificate object identifier checks that are specified in IAS remote access policy or NPS network policy.

  • The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.

  • For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN). To configure the UPN in a certificate template:

    1. Open Certificate Templates.

    2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

    3. Click the Subject Name tab, and then click Build from this Active Directory information.

    4. In Include this information in alternate subject name, select User principal name (UPN).

  • For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the fully qualified domain name (FQDN) of the client, which is also called the DNS name. To configure this name in the certificate template:

    1. Open Certificate Templates.

    2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

    3. Click the Subject Name tab, and then click Build from this Active Directory information.

    4. In Include this information in alternate subject name, select DNS name.

With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions:

  • Wireless clients do not display registry-based and smart card-logon certificates.

  • Wireless clients and VPN clients do not display password-protected certificates.

  • Certificates that do not contain the Client Authentication purpose in EKU extensions are not displayed.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft