> but now it has been upgraded I have to use this other method to request a certificate from it? yes. > Once I have done this do I just go back to my Windows 2003 IAS server (also DC) and go to the usual PEAP settings and I should hopefully see the new certificate in the drop down box to use? I guess, that yes. > The current certificate doesn't expire for another 3 weeks is it easy to renew in the new method as I need to use the same settings I did when I used the web version? yes it is quite easy. Open blank MMC console, add Certificates snap-in (in Local computer context). Select existing certificate that is used for IAS service. Right-click -> All Tasks -> Renew Certificate with New Key Pair. Go through the wizard to renew the certificate. Do not forget to edit RAS and IAS Server template permissions, so DC will be able to renew the certificate. Since, you (I guess) are using Enterprise CA that uses certificate templates, all settings for certificates are stored in the certificate tenplate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi TB303, Either requests a certificate with new key or same key will work for you. Please note request a certificate with the same key provides maximum compatibility with past uses of key pair, but it does not enhance the security of the certificate and key pair. About add permissions for template, we need to open the certificate template console. As Vadims mentioned, please run the certtmpl.msc to open it, or navigate to the Certificate Templates as you said, right click it and choose Manage. Then, edit the permission of the template. Hope it helps. Best Regards, Aiden

In the end I just moved the cert and it worked.

You probably just have to wait for replication to take place. Changing permissions on a template will not be recognized immediately. You can speed it up by removing the certificate template and then republish the certificate template to recognize the change quicker. There would be huge harm in standing up a new CA. This would be the absolutely worst practice of all time!!! You need to fix what is wrong rather than throwing new CAs at the problem. I think you are almost there. Missing the account is a huge issue, and would never work without having the correct account having the correct permissions. HTH Brian

Hi, What is interesting is the Cert does get created when I go from the IAS Windows 2003 server and then to the Windows 2008 cert server via http://IP/certsvr and create the certificate and install it. I find the certificate now goes into (mmc) Certificates - Current User and not Certificate (Local Computer), but allows me to drag it into there. If I then go tot he IAS server (our Windows 2003 DC) it is there in the PEAP settings to be selected! Canyou see any reason why this certificate wont work? Thanks

Hello, I'm trying to renew the certificates for our WIFI network. We use IAS and certificates to authenticate users and each year I have to go to our Windows 2003 IAS server and browse to the local cert server through IE and request the new cert (server Authentication Certificate) and then install it. However this time round when I go to the IAS server > Remote Access Policies > Edit Profile > Authentication > EAP Methods > Edit I then go to the Certificate issued and select the drop down box and the new certificate isn't visable. 2 things I have noticed, the certitifcate server has been upgraded from Windows 2003 to 2008 since last year and during requesting the certificate tick is missing for "Store certificate in the local computer store" Any Ideas?

This is a change in web enrollment and there is no way to directly request computer certificates from web pages. Here are some details about these changes: http://support.microsoft.com/kb/922706. Instead, you should use MMC console (Certificates snap-in focused on Local Computer store). Just open this console, select Personal store, right-click and select request certificate, or select existing certificate (which must be time valid) and renew it by using certificate enrollment wizard. Note, that IAS server computer account must have Read and Enroll permissions on the template (RAS and IAS Server — if you are using default certificate template for IAS). My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi, Thanks for finding the time to answer my question, I'm very worried my WIFI network will stop work should I not update the certificates soon! I have a couple of questions so I can explain it to my boss, hope you don't mind: 1.) I used to use the web site of the cert server to get a new certificate and this cert cerver was on Windows 2003, but now it has been upgraded I have to use this other method to request a certificate from it? 2.) Once I have done this do I just go back to my Windows 2003 IAS server (also DC) and go to the usual PEAP settings and I should hopefully see the new certificate in the drop down box to use? 3.) The current certificate doesn't expire for another 3 weeks is it easy to renew in the new method as I need to use the same settings I did when I used the web version? Many thanks

> but now it has been upgraded I have to use this other method to request a certificate from it? yes. > Once I have done this do I just go back to my Windows 2003 IAS server (also DC) and go to the usual PEAP settings and I should hopefully see the new certificate in the drop down box to use? I guess, that yes. > The current certificate doesn't expire for another 3 weeks is it easy to renew in the new method as I need to use the same settings I did when I used the web version? yes it is quite easy. Open blank MMC console, add Certificates snap-in (in Local computer context). Select existing certificate that is used for IAS service. Right-click -> All Tasks -> Renew Certificate with New Key Pair. Go through the wizard to renew the certificate. Do not forget to edit RAS and IAS Server template permissions, so DC will be able to renew the certificate. Since, you (I guess) are using Enterprise CA that uses certificate templates, all settings for certificates are stored in the certificate tenplate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

thanks, how do i edit those permissions for ras and ias?

on the CA server run certtmpl.msc. In the opened console window, locate and double-click RAS and IAS Server template. Switch to Security tab and grant Read and Enroll permissions for IAS server computer account. In addition, you need to ensure whether the template is available for issuance. On the CA server run certsrv.msc. Expand CA server node and select Certificate Templates folder. Check, if mentioned template is listed here. If not, right-click Certificate Templates folder -> New -> Certificate Template to issue. Add the template and you can start certificate renewal process.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi, What is interesting is the Cert does get created when I go from the IAS Windows 2003 server and then to the Windows 2008 cert server via http://IP/certsvr and create the certificate and install it. I find the certificate now goes into (mmc) Certificates - Current User and not Certificate (Local Computer), but allows me to drag it into there. If I then go tot he IAS server (our Windows 2003 DC) it is there in the PEAP settings to be selected! Canyou see any reason why this certificate wont work? Thanks this is because when you D&D the cert between contexts (current user and local machine) the private key is not moved. As I said, web enrollment for computer certificates is deprecated and you should use Certificates MMC snap-in.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

In the end I just moved the cert and it worked.

hi, i have checked the permissions on the template and it didnt have the right account on there so i added it, but still get the errors when i either renew or try an create a new one. could the server be missing some certificate roles as im not sure what it should have install, but guessed it should have everything it needs installed as it was an upgrade from windows 2003 to 2008? would they be any harm if i create a new windows 2003 cert server (standalone or enterprise)? thanks

Thanks, I'm going try this now.

Hi, I've just tried running "Renew Certificate with New Key Pair" on the Windows 2003 IAS server and I get the error: "The certificate cannot be renewed because it does not contain enough information to generate a renewal request. Please request a new certificate" should I proceed?

Hi TB303, Either requests a certificate with new key or same key will work for you. Please note request a certificate with the same key provides maximum compatibility with past uses of key pair, but it does not enhance the security of the certificate and key pair. About add permissions for template, we need to open the certificate template console. As Vadims mentioned, please run the certtmpl.msc to open it, or navigate to the Certificate Templates as you said, right click it and choose Manage. Then, edit the permission of the template. Hope it helps. Best Regards, Aiden

If you can't renew — just request a new certificate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Would it be with same key or new key Vadims? I had to add the permissions to the template by the way like you mentioned, however I had probelms locating the template on the Windows 2008 cert server, I had to go to server manager > roles > Active Direcotry Certificate Services > Certificate Templates (had the name off one of our Domain controllers here?) Thanks