Local Certificate for Server 2012 NPS & WiFi

afroehlich · June 21, 2020, 1:43am

I’m using the Certify The Web client to obtain an Identity Certificate for use with NPS and Wireless Protected EAP (PEAP) authentication. PEAP needs a certificate for server identity. The client works, gets the cert, and installs it under Local Computer, Personal, Certificates as needed. The certificate can be selected under the PEAP settings in NPS. Everything appears OK.

However, under iPhone, the certificate shows as invalid. My mac prompts to accept the cert, but shows it as OK. Server time is synced with NTP. I’ve read that I need to create/install fullchain.pem, but I’m not sure where Certify puts the pem files. Anyone have any ideas?

webprofusion · June 21, 2020, 4:14am

So, by default the certificate you create/acquire in Certify is a pfx which contains the full cert chain and private key. You can use a Deployment Task to export individual cert components (see the Certificate Export deployment task) as alternative formats.

Which PEAP server product are you using?

webprofusion · June 21, 2020, 4:16am

I see you have logged a support ticket as well. Do you want to continue the conversation here or in the support ticket?

webprofusion · June 21, 2020, 4:20am

Actually I’m wrong, the PFX will include the leaf cert, intermediates and the private key but it doesn’t bundle the root CA certificate which I think that’s what you mean by full chain. I think currently you might need a custom Deployment Tasks to construct that using OpenSSL, we can add it to the Certificate Export deployment task in a future update though.

afroehlich · June 21, 2020, 4:36am

I’m not really sure what to do. Certs are so weird. It appears most web browsers handle this, or seem to have a chain installed to find the root, so it only comes up when using the cert in Windows identity. Your client is so awesome, and includes the ability to install the certificate inside the local computer certificates, I think it would be great if this was handled. Could you help me with a script of some kind to manage this?

afroehlich · June 21, 2020, 4:42am

Here is fine, I can’t be the only one wanting to rid myself of the self-signed cert problem using NPS with wifi.

afroehlich · June 21, 2020, 4:59am

Ultimately, I’m just trying to fix this, whatever the cause.

Marty · July 13, 2021, 1:17am

I’m looking for an answer to this as well.
There is a post deployment task for RAS but that’s not the same thing.

cdal · May 19, 2022, 5:18pm

Was this ever resolved? If so, what was the resolution if you don’t mind sharing.

webprofusion · May 20, 2022, 12:15am

I think to get a proper resolution someone needs to investigate the root cause of the error (these services are well outside my own experience so I’d just be guessing).

You can deploy a domain-validated certificate to any service, but whether the clients will trust the certificate depends on what the client is expecting in the certificate chain. The way you bundle the certificate can vary (PFX, pem files [leaf certs, intermediates, full chains etc]) and that in turn can have an effect on whether the required information is available for the service/client to use.