Renewing certificat for Windows server NPS

A client had issue with the network authentication 802.1X. After doing some digging in the NPS logs, I found the cause in the event viewer :

NPS error 262: The supplied message is incomplete. The signature was not verified

This means that the certificate was expired for the Network policy server role on the Radius server. You can easily check it up when looking at the mmc console and adding the certificate module.

On the previous screenshot, you can see that I already renewed the certificate. But It was only for 1 years instead of 3 years configured (see below) on the certificat model used by DC to generate the certificate.

By default, you can only renew the certificat for 2 years altough the GUI let you input what you want, in my example 3 years. Then, when you wanna generate a certificate on the Radius server side, you still have a 1 year expiration certificate.
You can extend the expiration time with these commande on the Cert authority server.

C:\Windows\system32>certutil -setreg CA\ValidityPeriod "Years"
C:\Windows\system32>certutil -setreg CA\ValidityPeriodUnits 3
Ancienne valeur :
ValidityPeriodUnits REG_DWORD = 2
Nouvelle valeur :
ValidityPeriodUnits REG_DWORD = 3

C:\Windows\system32> net stop certsvc
C:\Windows\system32> net start certsvc

Sources :

Author: Kévin SAS

I am Kévin SAS and live in France. I am an engineer in network and security. I worked for a lot of customers in these domains : Wireless, LAN, Datacenter, VoIP with several brands like Cisco, HPE, Aruba, Palo Alto amongst others. Previously working for a service provider. I currently work for an integrator while giving me lots of opportunity to learn. This blog stores some technicals notes I wanted to share.

Leave a Reply

Your email address will not be published. Required fields are marked *