Deploy a CA and NPS Server Certificate

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

You can use these procedures to install Active Directory┬« Certificate Services (AD CS) and enroll a server certificate to servers running Network Policy Server (NPS). If you deploy certificate-based authentication, servers running NPS must have a server certificate. During the authentication process, these servers send their server certificate to client computers as proof of identity.

The process of configuring NPS server certificate enrollment occurs in three stages:

  1. Install the AD CS server role . This step is required only if you have not already deployed a certification authority (CA) on your network.


By installing Active Directory Certificate Services (AD CS), you are either creating or extending a Public Key Infrastructure (PKI). A PKI that meets the requirements of most organizations is a multi-tier Certification Authority (CA) hierarchy that implements an Offline Root CA( For more information, see PKI Design Guidance ( Additional step-by-step information is available in the TechNet Wiki article AD CS and PKI Step-by-Steps, Labs, Walkthroughs, How To, and Examples (

  1. Configure a server certificate template and autoenrollment . The CA issues certificates based on a certificate template, so you must configure the template for the NPS server certificate before the CA can issue a certificate. When you configure autoenrollment, all servers running NPS on your network will automatically receive a server certificate when Group Policy on the server running NPS is refreshed. If you add more servers later, they will automatically receive a server certificate, too.

  2. Refresh Group Policy on servers running NPS . When Group Policy is refreshed, the servers running NPS receive two certificates. One certificate is the server certificate based on the template that you configured in the previous step. This certificate is used by NPS to prove its identity to client computers that attempt to connect to your network. The other certificate is the issuing CA certificate, which is automatically installed on the servers running NPS in the Trusted Root Certification Authorities certificate store. NPS uses this certificate to determine whether to trust certificates it receives from other computers. For example, if you deploy Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), client computers use a certificate to prove their identities to the server running NPS. When the server receives a certificate from a client computer, trust for the certificate is established because the server running NPS finds the issuing CA certificate in its own Trusted Root Certification Authorities certificate store.

Rather than autoenrolling an NPS server certificate, you might want to enroll the certificate by using one of the following methods:

  • Manually import an NPS server certificate from floppy disk or compact disc into the NPS certificate store.

  • Use the Certificate Services Web enrollment tool to obtain the NPS server certificate.

Because the NPS server certificate is a computer certificate, you must import the certificate into the certificate store for the Local Computer rather than for the Current User.


If the NPS server certificate is erroneously installed in the Current User certificate store, NPS cannot use the certificate for EAP or Protected EAP (PEAP) authentication because the private keys of the certificate have an incorrectly configured access control list (ACL) that prevents key access by the local system. You can verify the location of the NPS server certificate by using the Certificates Microsoft Management Console (MMC) snap-in. If the NPS server certificate is in the incorrect location, do not attempt to drag and drop the certificate from the Current User to the Local Computer certificate store. The private keys for the certificate will still have an incorrectly configured ACL. Instead, revoke the certificate using AD CS and issue a new server certificate to the server running NPS.

To deploy a CA and autoenroll NPS server certificates, perform the following procedures: