Automate ssl deployment to radius NPS policies

Hi ,hope someone can advice , after automatically renewing ssl for our Windows Radius used for Wifi authentication , the newly generated certificate imported to Certificate manager needs to be manually changed on each nps policy of which there are quite number.

Wonder if anyone else has found a way to achieve this where the renewed generated certificate and without knowing it’s cert thumb print is selected and automatically deploy to NPS pols and having achieved this won’t mind sharing their genius of how ? : )
And if not can some one please assist in how to find the following with Certify cmd line or withing the gui interface.

  1. certifyApiEndpoint = https:// ???
  2. CertifyApiKey =


Hi, I can’t advise on deploying to NPS but we do have well established scripting options which would give you the thumbprint:

There are also a range of deployment tasks, including Export Certificate which can just write our the PFX wherever you need it.

Certify doesn’t currently have a public API.

i’ll have a look at the export of cert ,thank you for replying ,

This should do what you’re looking for.

param ($result)

# $result is a provided variable passed in by CerifytheWeb when invoking deploy scripts, CertificateThumbprintHash is the thumbprint of 
# the new certificate and is used to overwrite the existing cert's fingerprint so NPS picks up the correct replacement
$IASConfigPath = "%SystemRoot%\System32\ias\ias.xml"
[xml]$IASConfig = Get-Content ([Environment]::ExpandEnvironmentVariables($IASConfigPath))

$PolicyName = "Secure Wireless Connections Users"

$policy = $IASConfig.SelectSingleNode("//RadiusProfiles//*[@name='$PolicyName']")

# verify that the policy exists
if (-not ($policy)) {
  throw "Policy $PolicyName not found."

$currentThumb = $policy.Properties.msEAPConfiguration.InnerText.Substring(72,40)
$newThumbprint = $result.ManagedItem.CertificateThumbprintHash

Write-Host "Replacing $PolicyName current certificate thumbprint ""$currentThumb"" to ""$newThumbprint"""

# update the cert thumbprint if it's different
if ($newThumbprint -ne $currentThumb) {

	# save the old thumbprint
	$oldThumb = $currentThumb

	# set the new one
	Write-Verbose "Setting $PolicyName certificate thumbprint to $CertThumbprint"
	$policy.Properties.msEAPConfiguration.InnerText = $policy.Properties.msEAPConfiguration.InnerText.SubString(0,72) + $newThumbprint.ToLower() + $policy.Properties.msEAPConfiguration.InnerText.SubString(112)


	Restart-Service 'IAS'
else {
	  Write-Warning "Specified certificate is already configured for NPS Policy $PolicyName"

1 Like

Wow thanks Stevo! i’ll give it shot!

@stevo please consider adding your example script to certify-script-examples/PowerShell at main · webprofusion/certify-script-examples · GitHub (or I can add it for you).

Hi Stevo ,
i’m a BIT of novice with powershell scripting , running the script i get the following error , where it seems not to be able to see the new certificate thumbprint.
Replacing Test current certificate thumbprint “7b8ca941b2e8336d9a06ba20ACED983A010E122B” to “”
You cannot call a method on a null-valued expression.
At C:\Users\adminit\Documents\PsRadiusscript\Untitled8.ps1:30 char:2

  • $policy.Properties.msEAPConfiguration.InnerText = $policy.Propert ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: ( : ) | |, RuntimeException
    • FullyQualifiedErrorId : InvokeMethodOnNull
      WARNING: Waiting for service ‘Network Policy Server (IAS)’ to stop…
      WARNING: Waiting for service ‘Network Policy Server (IAS)’ to stop…
      Any thoughts ?

This code is retrieving the current thumbprint in use (the one that was there before you renewed your cert) so if you’re deploying for the first time maybe $policy.Properties.msEAPConfiguration doesn’t exist yet?