Hi,
We had a working NPS configuration for our wireless clients, we've recently migrated our offline root/issuing certificate servers from 2008R2 to 2012R2 and migrated to SHA2, we've renewed both with Root and Issuing server certificates. I don't believe we have any problems with the PKI configuration.
Problem now is if a client which doesn't have the renewed certificates tries to connect it fails, we're using EAP-TLS. We receive errors about Trust Anchor indicating what looks like certificate path/chain issues.
The IAS/NPS certificate issued is still a valid sha1 certificate, the path shows the sha256 issuing and root, this appears to be the problem. How do we resolve this nicely without having to connect wireless clients by cable (to automatically get the new certs) or adding the renewed root certificate manually.
The old Root and Issuing certificates are still valid.
Thanks
Ben