Wifi, 802.1x, simple certificate selection, CA

Hey

We have installed a new CA - it works fine.

On our Windows 7 machines we now have 1 new machine certificate from the new CA and one from the old CA.

Both are working for WIFI auth.

Some of the old certificates are about to expire . On some machines (Windows 7) it seems to be using the old (and expired certificate) - so its unable to connect to wifi.

How do I deal with this issue? (expired certificates from old CA)

We use computer auth + simple certificate selection.

Thanks in advance

Mike



Simple Certificate Selection is designed so that it'll remember your choice if you choose one certificate over the other. Also, if the old certificate is expired, Windows will choose the new valid, as long as it is installed - and, of course valid.

However, you should revoke all certs from old CA when demoting it, as long as new CA is up and running.



Simple Certificate Selection is designed so that it'll remember your choice if you choose one certificate over the other. Also, if the old certificate is expired, Windows will choose the new valid, as long as it is installed - and, of course valid.

However, you should revoke all certs from old CA when demoting it, as long as new CA is up and running.



Jakob> Thanks for your time ;) I have many Windows 7 boxes with one expired (Old CA) and one valid (New CA).

About 70% are unable to logon to our WIFI. As soon as I delete the expired certificate its able to connect to the WIFI.

Therefore I suspect Windows to use the expired certificate for WIFI.

Best regards

Mike



Yes ---- that's true---- It'll probably used the last used certificate. (but I was darn sure it would deselect expied certs).
Are you authenticating with computer certs only, or computer and user?

In autoenrollment settings, have you selected Remove Revoked Certificates, Renew Expired and Update Pending Requests?

You could try to create a new template on new CA - choose the old template as superseded template, and make sure that "Update Certificates that use certificate templates" - and see if expired certs from old CA will be updated with new certs from new CA.
To make this easier - restrict autoenroll to a limited group of computers/users for the new test template.



Hey

Only using computer certs. ;)

Yes, I use Remove Revoked Certificates, Renew Expired and Update Pending Requests...

I'll try Monday. ;) have a nice weekend.

Mike



any news?

Share this

Related Posts

There was an error in this gadget