Server Certificate Requirements
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Certificates installed on your servers must be obtained from a public trusted root certification authority (such as Verisign or Thawte) and must meet the minimum server certificate requirements. WPS technology uses the PEAP-MS-CHAP v2 authentication method; with PEAP-MS-CHAP v2, the client accepts the server's authentication attempt when the server certificate meets the following requirements:
The Subject name contains a value. If you issue a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server.
The computer certificate on the server chains to a public trusted root CA and does not fail any of the checks that are performed by CryptoAPI and specified in the remote access policy.
The IAS server computer certificate is configured with the Server Authentication purpose in Enhanced Key Usage (EKU) extensions. (The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.)
The server certificate is configured with a required cryptographic service provider (CSP) value of Microsoft RSA SChannel Cryptographic Provider.
The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server.
With PEAP and EAP-TLS, servers display a list of all installed certificates in the computer certificate store, with the following exceptions:
Certificates that do not contain the Server Authentication purpose in EKU extensions are not displayed.
Certificates that do not contain a Subject name are not displayed.
Registry-based and smart card-logon certificates.
Note
When you deploy PEAP-MS-CHAP v2 on a private network, client computers are configured to validate server certificates by using the Validate server certificate option. With WPS technology, however, Wireless Provisioning Services automatically configures this option on client computers running Windows XP.