802.1X SSL cert not working in network policy server (2008 server)

ThorinO
ThorinO used Ask the Experts™
on
I am having an issue very similar to the link below.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26531372.html#discussion

I have used the link below to change my validity to 5 years

http://social.technet.microsoft.com/wiki/contents/articles/how-to-change-extend-the-expiration-date-of-certificates-that-are-issued-by-a-windows-server-2008-or-a-windows-server-2003-certificate-authority.aspx

I have gone into Certificates -> Personal -> Certificates and requested a new cert. I select AD enrollment policy, then domain controller authentication and I get a 5 year cert.

When I go into NPS, select the policy, go to the constraints tab, select PEAP in the authentication methods, and click edit I only have the root CA SSL cert, not the one I requested.

When I try and use this cert to authenticate a iPhone it doesn't work.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Did the certificate mail from the CA reach you?
Have you installed the certificate ?

Author

Commented:
This was a self issued certificate from a CA on our domain.
Do you have the certificate? If you do copy it in a notepad file. Change the extn to .cer and check if it is correct.

If the certificate you have in the Personal Computer Certificate Store on the NPS does not have the private key, you won't see it in the NPS Snap-in so you need to make sure you install the certificate correctly.
You could run 'Certutil -repairstore' to link the private key back to the public key (Certutil -repairstore my <Serial No or Thumbprint> (Replace the <Serial No or Thumbprint> with the actual serial no or thumbprint of the certiifcate).
This command will only work if the certificate was requested from the NPS Server or if the private key exists on this server.

Author

Commented:
I requested the cert from our enterprise CA which is also the same server where NPS resides. Should I run the 'Certutil -repairstore' command?
If it was an online request means, you requested the certificate using MMC and you got the certificate installed in the personal store, then the 'Certutil -repairstore' command is not required. You should have the private key with the certificate. You could run 'Certutil -verifystore -v my "<Serial No>" command to verify the same. (<Serial No> needs to be replaced by the actual serial number of the NPS Certificate).

Author

Commented:
Thank you, I have not worked more on this yet but I need to.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial