I’m using the Certify The Web client to obtain an Identity Certificate for use with NPS and Wireless Protected EAP (PEAP) authentication. PEAP needs a certificate for server identity. The client works, gets the cert, and installs it under Local Computer, Personal, Certificates as needed. The certificate can be selected under the PEAP settings in NPS. Everything appears OK.
However, under iPhone, the certificate shows as invalid. My mac prompts to accept the cert, but shows it as OK. Server time is synced with NTP. I’ve read that I need to create/install fullchain.pem, but I’m not sure where Certify puts the pem files. Anyone have any ideas?
So, by default the certificate you create/acquire in Certify is a pfx which contains the full cert chain and private key. You can use a Deployment Task to export individual cert components (see the Certificate Export deployment task) as alternative formats.
Actually I’m wrong, the PFX will include the leaf cert, intermediates and the private key but it doesn’t bundle the root CA certificate which I think that’s what you mean by full chain. I think currently you might need a custom Deployment Tasks to construct that using OpenSSL, we can add it to the Certificate Export deployment task in a future update though.
I’m not really sure what to do. Certs are so weird. It appears most web browsers handle this, or seem to have a chain installed to find the root, so it only comes up when using the cert in Windows identity. Your client is so awesome, and includes the ability to install the certificate inside the local computer certificates, I think it would be great if this was handled. Could you help me with a script of some kind to manage this?
I think to get a proper resolution someone needs to investigate the root cause of the error (these services are well outside my own experience so I’d just be guessing).
You can deploy a domain-validated certificate to any service, but whether the clients will trust the certificate depends on what the client is expecting in the certificate chain. The way you bundle the certificate can vary (PFX, pem files [leaf certs, intermediates, full chains etc]) and that in turn can have an effect on whether the required information is available for the service/client to use.