Automated SSL certificate renewal for Network Policy Server (NPS)

NPS hides its RADIUS server certificate inside each network policy. CertKit keeps it current.

Network Policy Server is Microsoft's RADIUS server, and it's what authenticates your 802.1X Wi-Fi, wired network access, and VPN clients with PEAP or EAP-TLS. The server certificate NPS presents during that handshake isn't a named binding. It's stored inside the EAP configuration of each network policy as 14000000 followed by the certificate's SHA1 thumbprint. When the certificate renews the thumbprint changes, the policy still points at the old one, and NPS stops authenticating clients. Every 47 days. On every NPS server you run.

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your NPS servers via the CertKit Agent, rewrites the thumbprint in every affected policy, and restarts the service so RADIUS comes back on the current certificate.

Start free trial Watch demo

How it works

            Your NPS / RADIUS server
┌──────────────────────────────────────────┐
│  ┌─────────────┐                         │
│  │CertKit Agent│──┐ 1. import PFX        │     CertKit
│  └─────────────┘  │    -> LocalMachine   │   ┌──────────┐
│         │         ▼                      │◄──┤ Issue &  │
│         │   ┌───────────────┐            │   │ Renew    │
│         │   │ Cert store    │            │   │   ┌───┐  │
│         └──►│ NPS EAP config│  2. patch  │   └───│DNS│──┘
│   3. netsh  │ 14000000+ref  │     thumb  │       └───┘
│   import    └───────┬───────┘            │  one-time CNAME
│         ┌───────────▼───────┐            │  delegated DNS
│         │ IAS svc restarted │ 4. restart │
│         │ [x] PEAP online   │            │
│         └───────────────────┘            │
└──────────────────────────────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. The NPS server never runs an ACME client and never holds DNS credentials, the agent imports the certificate, rewrites the thumbprint inside the EAP config, and restarts the service locally.

CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.

Richard Hicks, Consultant and Microsoft MVP

NPS deployment script

# Network Policy Server (NPS) — PEAP / EAP-TLS Certificate Update
#
# Updates the server certificate NPS presents for PEAP and
# EAP-TLS, then restarts the service. The CertKit Agent imports
# the renewed PFX into the LocalMachine store before this runs.
#
# NPS stores the selected certificate inside the EAP config blob
# of each network policy as 14000000 + the SHA1 thumbprint, not
# as a named binding. A renewal that only imports the new cert
# leaves every policy pointing at a thumbprint that no longer
# exists, so PEAP and EAP-TLS authentication fails.
#
# Injected variables (set by CertKit Agent):
#   $thumbprint - SHA1 thumbprint of the renewed certificate
#
# Prerequisites:
#   - PowerShell 5.1+ (Windows Server 2012 R2+)
#   - Network Policy Server role installed
#   - Permission to export/import NPS config and restart the service

# Export current NPS config. This includes RADIUS shared secrets,
# so treat the export file as sensitive.
$exportPath = Join-Path $env:TEMP 'nps-config.xml'
netsh nps export filename="$exportPath" exportPSK=YES | Out-Null
$config = [System.IO.File]::ReadAllText($exportPath)

# Replace the PEAP/EAP-TLS server cert thumbprint inside the EAP
# config blobs: NPS stores it as 14000000 + SHA1 thumbprint.
$config = [regex]::Replace(
    $config,
    '(?i)(14000000)([0-9a-f]{40})',
    '${1}' + $thumbprint
)

The complete deployment script ships in your CertKit account.

The CertKit Agent imports the renewed PFX, exports the NPS configuration, rewrites the certificate thumbprint inside every EAP policy blob, imports the corrected configuration, and restarts the service. No clicking through each network policy in the NPS console, no re-selecting the certificate by hand, no silent authentication outage waiting to be discovered.

Restarting the NPS service drops RADIUS for a moment, so in-progress authentications retry and clients re-associate as the listener comes back. Schedule a deployment window per server so the thumbprint update and restart run at 2am Sunday rather than during business hours. CertKit stages the renewed certificate and only applies it inside the window you choose.

The pre-built NPS template ships with your CertKit account. Enable it once. CertKit handles every renewal after that.

What CertKit handles

Issue the RADIUS server certificate via ACME, centrally. PEAP and EAP-TLS need a server certificate that clients trust and that carries the Server Authentication EKU. Your NPS server doesn't need an ACME client, no credentials, and no open ports.
Rewrite the thumbprint, not just import the cert. This is the step manual renewals miss. CertKit updates the 14000000 + thumbprint reference inside each EAP policy so NPS actually uses the renewed certificate instead of failing against a stale binding.
Cover every network policy on the server. A single NPS box can carry separate policies for Wi-Fi, wired 802.1X, and VPN, each with its own EAP certificate reference. CertKit patches all of them in one pass instead of leaving one behind.
Restart the service cleanly. The agent imports the corrected configuration and cycles the NPS service so the new certificate is presented on the next authentication, then confirms RADIUS is answering.
Deploy in a window you control. The service restart briefly interrupts RADIUS, so it shouldn't fire mid-workday. Schedule a deployment window per server and CertKit applies the thumbprint update and restart at 2am Sunday instead of whenever the certificate renews.
Verify the deployment, not just the script. After each renewal, CertKit confirms the new certificate is the one NPS now presents, checking serial number, SANs, and expiry. A thumbprint that didn't take is caught here, before users fail to connect to Wi-Fi or VPN.
Alert on failure. Config-rewrite failures, service restart errors, verification mismatches, and upcoming expirations all generate alerts before they become an outage.
Audit every change. Every issuance, renewal, and thumbprint update is logged with timestamp, certificate, and server. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Install the CertKit Agent on the NPS server. One command on the Windows Server running the Network Policy Server role. The agent runs as a Windows service and needs no inbound firewall rules.
Add the NPS deployment script. The pre-built template is in your account. Save it and CertKit imports the certificate, rewrites the EAP thumbprint, and restarts the service on every renewal.

See the full architecture →

Why importing the certificate isn't enough

With most Windows services, importing a renewed certificate and rebinding by thumbprint is the whole job. NPS is different because the certificate is selected inside the EAP configuration of each network policy, recorded as 14000000 plus the SHA1 thumbprint. Drop a new certificate into the store and NPS keeps presenting the old thumbprint, finds it no longer matches anything usable, and rejects PEAP and EAP-TLS authentication. The certificate is valid and present, the service is running, and clients still can't get on the network, which makes it a confusing outage to diagnose.

The manual fix is tedious and easy to get wrong: open the NPS console, edit every affected network policy, step into the PEAP or EAP-TLS properties, re-select the renewed certificate, and apply. Do that by hand on every renewal, on every server, across every policy, and the odds of a missed policy or a skipped server climb with each cycle.

CertKit issues the RADIUS certificate via delegated DNS validation, then the agent handles the thumbprint rewrite, the import, and the restart as one verified step. There is no ACME client on the server and no console clicking on your renewal calendar.

NPS is the RADIUS server behind your Wi-Fi and VPN

The certificate NPS presents for PEAP and EAP-TLS is the trust anchor your 802.1X Wi-Fi, wired network access control, and Always On VPN authentication all depend on. CertKit automates that certificate, plus the gateway certificates on Always On VPN, DirectAccess, RRAS, IIS, and AD FS, from a single account.

See all integrations

Start automating NPS certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing