Server Certificate Requirements

Updated: October 21, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

All certificates that are used for network access authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer/Transport Layer Security (SSL/TLS) as specified below. If you configure your server certificate according to this information, your server certificates will also meet the requirements for PEAP and EAP.


Use the Certificate Templates Microsoft Management Console (MMC) snap-in and a copy of the RAS and IAS Servers certificate template to configure server certificates for use with EAP and PEAP. For more information, see Foundation Network Companion Guide: Deploying Server Certificates in the Windows Server 2008 Technical Library at

While configuring a copy of the RAS and IAS Servers certificate template, ensure that the following is true:

  • The Subject name field contains a value. If you issue a certificate to your NPS server that has a blank subject name, the certificate is not available for selection when you're configuring authentication in NPS network policy and connection request policy.

  • The server certificate chains to a trusted root certification authority (CA) and does not fail any of the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy.

  • The NPS server or virtual private network (VPN) server certificate is configured with the Server Authentication purpose in Application Policies extensions (also called Enhanced Key Usage (EKU) extensions). The object identifier for Server Authentication is

  • The server certificate is configured with a required Rivest-Shamir-Adleman (RSA) algorithm value.

  • The Subject Alternative Name (SubjectAltName) extension, if used, must contain the Domain Name System (DNS) name of the server.