Computer and User Certificate Requirements

Applies To: Windows Server 2008, Windows Server 2008 R2

All certificates that are used for network access authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer/Transport Layer Security (SSL/TLS) as specified below. If you configure your computer and user certificates according to this information, your certificates will also meet the requirements for PEAP and EAP.

Note

Use the Certificate Templates MMC snap-in and copies of the User certificate template and the Workstation Authentication certificate template to configure user and computer certificates for use with EAP and PEAP. For more information, see Foundation Network Companion Guide: Deploying Computer and User Certificates in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=113884.

While configuring copies of the User certificate template and the Workstation Authentication certificate template, ensure that the following is true:

  • The Subject name field contains a value. If you issue a certificate that has a blank subject name, the certificate cannot be used for authentication.

  • The certificate chains to a trusted root certification authority (CA) and does not fail any of the checks that are performed by CryptoAPI and that are specified in Network Policy Server (NPS) network policy. Because you are issuing certificates from your own enterprise root CA, computer and user certificates issued by the CA automatically chain to the CA. Domain member computers have the CA certificate in the Trusted Root Certification Authorities folder in both the Local Computer and Current User certificate stores, which means that they trust the CA.

  • The user or computer certificate is configured with the Client Authentication purpose in Application Policies extensions (also called Enhanced Key Usage (EKU) extensions). The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2. By default, the User and Workstation Authentication certificate templates contain this purpose in Application Policies extensions.

  • For user certificates, the Subject Alternative Name (SubjectAltName) extension, if used, contains the user principal name (UPN). By default, the User certificate template is configured with the UPN.

  • For computer certificates, the SubjectAltName extension, if used, contains the fully qualified domain name (FQDN) of the computer, which is also called the DNS name. By default, the Workstation Authentication certificate template is not configured with this value and must be reconfigured to meet this requirement.