Hey folks! I'm in the process of setting up a Wi-Fi network that will only be accessible from the internet, located in our DMZ. The goal is to have employees authenticate with their Active Directory credentials. Currently, I'm using a self-signed certificate on our NPS server, which leads users to see a warning and manually hit "trust" to proceed. Definitely not the best experience!
So my big question is: **Can I swap out my self-signed certificate for one issued by a trusted external/public CA, like DigiCert or Sectigo, for NPS authentication?**
Also, if this is doable:
- Will I need to manually import this new external certificate into the trusted certificate stores on all client devices, or should it be automatically recognized as trusted if it's from a well-known CA?
- Will this setup eliminate the annoying "click trust" prompt that users currently face?
In summary, I'm really hoping to make the user experience smooth so they can just log in with their AD credentials without any certificate warnings. Thanks for your help!
4 Answers
Do you have a CA in your Windows environment? If so, you might consider issuing a cert from there and having users trust the root certificate. You could also deploy the certificate to all devices with GPO, but that depends on how much control you have over those devices.
I’m curious why you would want to use a public CA cert for a DMZ workload with on-prem credentials. I'd suggest setting up an internal two-tier offline PKI instead; it's pretty straightforward. But to get to your question, NPS doesn’t issue certificates, it just uses them for authentication. While you can apply a public CA for PEAP, it actually has to be issued by a proper authority like DigiCert.
Right, using a public cert could work for your case, especially for those unmanaged devices. It should simplify things for users.
To clarify, I'm aiming for a Wi-Fi network just for employees with internet access and no MDM or GPOs. That’s why a public CA cert seems like the best way to avoid trust warnings for users.
Absolutely, you can use a public CA cert! The CN on the RADIUS certificate can be any domain you control, but just make sure to instruct your clients to trust the root CA certificate and the common name you picked.
Yes, you can definitely use a certificate issued by a public CA. Just make sure you're aware of the certificate chain and possibly include that in the cert upload to make everything smoother. Just avoid using wildcards for RADIUS, as that's a recipe for security issues.
For sure, using a public cert is generally a good choice, but just be careful about the details.
Yeah, wildcards on RADIUS can lead to spoof attacks, so definitely steer clear of that.
Just a heads up though, Android devices might not play nice with that setup.