Search code examples
windowsactive-directorycertificateradiusnps

Testing revoke certificates in NPS server

I am testing a NPS server in Windows Server 2022, with PEAP (with certificates), the setup is:

  • Windows Server 2022 --> AD DS (test.lab), AD CS, NPS
  • Windows 10 --> Joined to domain

Certs in Windows Server 2022:

certs

NPS configuration:

nps_eap

Result:

test_connection

The connection is succesfull, but now, I am trying to revoke the certificate for reject the connection but I dont know how are following steps... I have tried to revoke the certificate with Certificate Authority, but doesn't work

Solution

  • To enable revocation check, please try the following:

    • Administrators must enable the RootCertificateNameToAccept parameter and set a registry key to enable functionality.
    • To enable CRL (Certification revocation List) for IKEv2 VPN connections,
    • Open a PowerShell window and below commands:
    _$Thumbprint = ‘Root CA Certificate Thumbprint’_
_$RootCACert = (Get-ChildItem -Path cert:\LocalMachine\root | Where-Object {$_.Thumbprint -eq $Thumbprint})_
_Set-VpnAuthProtocol -RootCertificateNameToAccept $RootCACert -PassThru_

    _New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\’ -Name CertAuthFlags -PropertyTYpe DWORD -Value ‘4’ -Force_

    _Restart-Service RemoteAccess -PassThru_

    Revoking certificates

    • The administrator must first revoke the certificate on the issuing CA.

    Open a elevated command window and enter the below commands:

    _certutil -urlcache * delete_
_certutil -setreg chain\ChainCacheResyncFiletime @now_
    • If the above solution doesn't work, please try the following steps:

    Click start -> Administrative Tools -> Click Certification Authority -> Expand your CA -> Click the Issued Certificates folder -> Select issues certificates -> Click All Tasks -> click Revoke Certificate -> In the Certificate Revocation dialog box -> select Cease of Operation -> click OK

    References :

    certificate revocation | Richard M. Hicks Consulting, Inc. (richardhicks.com).

    How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com).