Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,703 questions
Intermediate certificate renewal in environment with NPS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 30%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUV%3C/text%3E%3C/svg%3E)
Urmas Vanem
31
Reputation points
NPS and certificate renewal
We have two-tier PKI solution, NPS server and few thousands of WIFI clients authenticating with user certificate to network using NPS server. Now we must renew intermediate certificate.
We tried to do it step by step to be sure everything will work correctly, so we requested new intermediate CA certificate (with the same key) from our root CA and then tried to integrate it with NPS and test WIFI client without installing the certificate to intermediate CA. The result is confusing. We tried to introduce the certificate in three different ways:
1) New intermediate certificate is in intermediate certificates store in NPS server;
2) New intermediate certificate is in intermediate certificates store in WIFI client;
3) New intermediate certificate is in intermediate certificates store in NPS server and WIFI client.
It just does not work – we get error 295 (“A certification chain processed correctly, but one of the CAcertificates is not trusted by the policy provider” or something like that). So, it seems that the intermediate certificate must be in NTAuth store in domain to enable authentication with this certificate. Our questions are:
1) If we add the certificate to NTAuth store in domain (manually or be installing it to intermediate CA), then all domain members will be aware of it and add this certificate to intermediate certificates store and local NTAuth store (in registry). But we are afraid of situations, where:
a. NPS server gets the knowledge first and clients will not be able to authenticate any more (way 1 above);
b. Client computer/user gets the knowledge first and will not be able to authenticate any more (way 2 above).
2) And why Windows thinks it must use new certificate to build chain at all, can we change the behavior somehow? – client certificate are not issued by new intermediate certificate!
3) We can add new intermediate certificate locally to NPS server registry and test it then, but it should not be the way to go?
After reading tons of articles our summary question is, what is safe and recommended way to renew certificates in environments with NPS?
Thanks,
Urmas
Windows Server
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
822 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,903 questions
Sign in to answer