Creating and Installing a Self Signed
Certificate for PEAP Authentication

A server side X.509 digital certificate is required for PEAP/EAP-TLS authentication. This certificate can be purchased from a third-party Certificate Authority such as VeriSign, or it can be issued from an organization's internal Certificate Authority. But these options may be costly for test environments.

Creation of Self Signed Certificate

You can use TekCERT (or other app) to generate self signed certificates for test environments.
Export public key in .cer (DER encoded X.509) format after creating the certificate for client deployment. Click "Browse Certificates" tab, select the generated certificate and click "Export" button.

You may also create client certificates using TekCERT. Select "Client Certificate" as purpose to create Client Certificates in certificate parameters. You must export client certificate with its associated private key for client deployment in .pfx format.

Server CertificateSelect Certificate Store dialog

Copy the file that contains the server certificate to the client computer. Locate the certificate file on the client computer; right click on it, than select "Install Certificate". Click "Next" on "Certificate Import Wizard" dialog. Select "Place all certificates in the following store" than click "Browse". Click "Show physical stores" and then select "Trusted Root Certification Authorities/Local Computer", click OK to close "Select Certificate Store" dialog.

Click "Next" after selecting certificate place on "Certificate Import Wizard" dialog and then click "Finish" to complete manual deployment of server root certificate.


Client CertificateCertificate Import Wizard dialog

Copy the file that contains the client certificate to your client computer. Locate the certificate file on the client computer; double click on the certificate file. Click next.
Enter private key password, select "Mark this key as exportable…" and click Next. Select"Automatically select the certificate store based on the type of certificate" and click Next. Click Finish at the last dialog.


Client PEAP Configuration

Although there are commercially and freely available PEAP supported 802.1X supplicant alternatives for Windows, Windows editions have a built-in supplicant. In order to configure PEAP (PEAPv0-EAP-MS-CHAP v2) Authentication for a Wireless Network Connection, open Network Connections (Start/Settings/Network Connections), right click on particular wireless connection and select properties.

Wireless Networks Connection/WirelessAssociation parameters.

You will see detected wireless networks in "Preferred networks" window on "Wireless Networks" tab. Select the wireless network which requires PEAP authentication and then click properties.
Configure "Association" parameters as shown. Jump to "Authentication" tab select "Protected EAP (PEAP)" as "EAP Type" then click "Properties".

EAP type selectionSelect Certificate Store dialog

Click "Validate server certificate", and select installed server root certificate installed previously in the "Trusted Root Certification Authorities" list optionally.

If you plan to authenticate user with a username/password pair other than the user uses to logon to Windows, click "Configure" button on "Protected EAP Properties" dialog and uncheck "Automatically use my Windows logon name and password" on "EAP MSCHAPv2 Properties" dialog and click OK.

Select Certificate Store dialog