Installing an SSL Certificate on Microsoft Network Policy Server (NPS)

Installing an SSL Certificate on Microsoft Network Policy Server (NPS)

Michelle Roberts

Microsoft Network Policy Server (NPS) authenticates wireless and Virtual Private Network (VPN) users, and the SSL Certificate it presents during authentication is what stops those users from handing credentials to a rogue access point.

A publicly trusted SSL Certificate shines here when client devices are not domain joined, since phones, tablets, and personal laptops already trust public Certificate Authority (CA) roots out of the box.

Choosing the Right SSL Certificate

The Common Name (CN) should be a real hostname for the NPS server, such as radius.yourdomain.com, because many client platforms display or validate it during connection. The SSL Certificate must also carry the Server Authentication purpose, which every standard SSL Certificate includes.

Generate the Certificate Signing Request (CSR) on the NPS server itself so the Private Key is created and stays in the machine store, then complete validation as normal. Learn About the Validation Procedure 🔗

Installing into the Machine Store

Download the issued SSL Certificate and the ca-bundle of Intermediate Certificates once issuance completes, both available in the tracking system. View Our Tracking & SSL Management 🔗

Complete the pending request from an elevated prompt, then add the Intermediate Certificates to their store, so the server can present the full chain during authentication.

certreq -accept yourdomain.crt
certutil -addstore CA yourdomain.ca-bundle

An SSL Certificate arriving from another server as a Personal Information Exchange (PFX) file imports with certutil -importpfx instead, landing in the machine personal store with its Private Key intact.

Selecting the SSL Certificate in the Network Policy

Open the NPS console and edit the network policy that authenticates your wireless or VPN users. On the Constraints tab, open Authentication Methods, select the Microsoft Protected Extensible Authentication Protocol (PEAP) entry, and click Edit.

The dialog shows which SSL Certificate the server currently presents. Select the new entry from the dropdown, confirm, and the change applies to new authentications immediately. Policies authenticating the clients themselves with their own SSL Certificates expose the same server-side selection in their own method settings.

Important : Wireless profiles on client devices often pin the exact server name or the issuing chain. After replacing the SSL Certificate, devices configured to validate the previous details will prompt again or refuse to connect until their profile accepts the new chain, so plan the change alongside your device management settings.

With the policy updated, a controlled test closes the loop.

Verifying the Installation

Connect a test device through the wireless network or VPN and confirm authentication succeeds with the new SSL Certificate presented. Devices that surface the SSL Certificate details during connection should show your hostname and the public chain rather than a self-signed entry.

Because NPS does not answer ordinary HTTPS requests, browser-based checks do not apply here, and a controlled client test is the reliable verification.

Troubleshooting Common Installation Problems

An SSL Certificate missing from the PEAP dropdown lacks its Private Key or sits in the wrong store. Confirm the entry lives in the machine personal store and reports a Private Key, completing the request with certreq when it does not. Learn About Reissuing Your SSL Certificate 🔗

Clients failing with trust errors despite a valid SSL Certificate usually cannot build the chain, meaning the Intermediate Certificates were never added on the server. Add them and retest. Learn About Intermediate Certificates 🔗

A sudden wave of connection prompts after replacement is expected behavior from profiles validating the previous details, not a fault in the new SSL Certificate.

Professional Installation Assistance

Authentication infrastructure punishes downtime more than a website does, since a misstep locks users off the network rather than showing a warning.

Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗

Back to Blog

Most Popular Questions

Frequently asked questions covering SSL Certificate installation for Microsoft Network Policy Server (NPS), including public trust for personal devices, hostname and purpose requirements, Protected Extensible Authentication Protocol (PEAP) selection, the client reconnection wave, controlled client verification, missing dropdown entries, and the Trustico® Premium Installation service.

Public Trust for BYOD Wireless Authentication

The SSL Certificate that Network Policy Server (NPS) presents during authentication is what stops users from handing credentials to a rogue access point. A publicly trusted SSL Certificate shines when client devices are not domain joined, since phones, tablets, and personal laptops already trust public Certificate Authority (CA) roots out of the box.

Choosing the Hostname and SSL Certificate Purpose

The Common Name (CN) should be a real hostname for the NPS server, because many client platforms display or validate it during connection, and the SSL Certificate must carry the Server Authentication purpose, which every standard SSL Certificate includes. Generate the Certificate Signing Request (CSR) on the NPS server itself so the Private Key is created and stays in the machine store.

Selecting the SSL Certificate in PEAP Settings

Edit the network policy that authenticates wireless or Virtual Private Network (VPN) users, open Authentication Methods on the Constraints tab, and edit the Microsoft Protected Extensible Authentication Protocol (PEAP) entry to select the new SSL Certificate. The change applies to new authentications immediately.

The Client Reconnection Wave After Replacement

Wireless profiles on client devices often pin the exact server name or the issuing chain, so devices configured to validate the previous details will prompt again or refuse to connect until their profile accepts the new chain. A sudden wave of connection prompts after replacement is expected behavior rather than a fault in the new SSL Certificate, so plan the change alongside your device management settings.

Verifying Without a Browser

NPS does not answer ordinary HTTPS requests, so browser-based checks do not apply here. Connect a test device through the wireless network or Virtual Private Network (VPN) and confirm authentication succeeds with the new SSL Certificate presented, showing your hostname and the public chain rather than a self-signed entry.

SSL Certificates Missing from the PEAP Dropdown

An SSL Certificate missing from the dropdown lacks its Private Key or sits in the wrong store, so confirm the entry lives in the machine personal store and reports a Private Key, completing the request with certreq when it does not. Clients failing with trust errors despite a valid SSL Certificate usually cannot build the chain, meaning the Intermediate Certificates were never added on the server.

Premium Installation Assistance for NPS Environments

Authentication infrastructure punishes downtime more than a website does, since a misstep locks users off the network rather than showing a warning. Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf.

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom