Wifi, 802.1x, simple certificate selection, CA


We have installed a new CA - it works fine.

On our Windows 7 machines we now have 1 new machine certificate from the new CA and one from the old CA.

Both are working for WIFI auth.

Some of the old certificates are about to expire . On some machines (Windows 7) it seems to be using the old (and expired certificate) - so its unable to connect to wifi.

How do I deal with this issue? (expired certificates from old CA)

We use computer auth + simple certificate selection.

Thanks in advance

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
Simple Certificate Selection is designed so that it'll remember your choice if you choose one certificate over the other. Also, if the old certificate is expired, Windows will choose the new valid, as long as it is installed - and, of course valid.

However, you should revoke all certs from old CA when demoting it, as long as new CA is up and running.
mikeydkAuthor Commented:
Jakob> Thanks for your time ;) I have many Windows 7 boxes with one expired (Old CA) and one valid (New CA).

About 70% are unable to logon to our WIFI. As soon as I delete the expired certificate its able to connect to the WIFI.

Therefore I suspect Windows to use the expired certificate for WIFI.

Best regards

Jakob DigranesSenior ConsultantCommented:
Yes ---- that's true---- It'll probably used the last used certificate. (but I was darn sure it would deselect expied certs).
Are you authenticating with computer certs only, or computer and user?

In autoenrollment settings, have you selected Remove Revoked Certificates, Renew Expired and Update Pending Requests?

You could try to create a new template on new CA - choose the old template as superseded template, and make sure that "Update Certificates that use certificate templates" - and see if expired certs from old CA will be updated with new certs from new CA.
To make this easier - restrict autoenroll to a limited group of computers/users for the new test template.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikeydkAuthor Commented:

Only using computer certs. ;)

Yes, I use Remove Revoked Certificates, Renew Expired and Update Pending Requests...

I'll try Monday. ;) have a nice weekend.

Jakob DigranesSenior ConsultantCommented:
any news?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.