Updating NPS Certificates with PowerShell

Updating the certificate used for PEAP or EAP-TLS in Microsoft's Network Policy Server (NPS) is a manual, click-heavy process. If you have multiple policies, you have to open each one, navigate to the constraints, click "Edit" on the EAP type, and select the new certificate from a dropdown. With certificate lifetimes ever decresasing, this quickly becomes a tedious chore.

To solve this, I wrote Update-NPSCert.ps1. It automates the entire process by directly modifying the NPS configuration.

The Problem with NPS Configuration

NPS doesn't have a direct PowerShell cmdlet to update the certificate used in a policy. The configuration is stored in a complex way, but it can be exported to an XML file using Export-NpsConfiguration. Inside this XML, the certificate is identified by its thumbprint within a hex-encoded msEAPConfiguration block.

How it Works

The script follows a simple but effective workflow:

1. Export: It exports the current NPS configuration to a timestamped XML file.
2. Identify: it finds the newest valid certificate in the machine's Personal store (optionally matching a regex).
3. Modify: It parses the XML, finds all msEAPConfiguration nodes, and surgically replaces the old thumbprint with the new one.
4. Import: It imports the modified XML back into NPS using Import-NpsConfiguration.
5. Restart: Optionally, it restarts the IAS (NPS) service to ensure the changes take effect.

Automation with Simple-ACME (Win-ACME)

The real power of this script comes when you pair it with an ACME client like Simple-ACME. You can configure a post-renewal script that calls Update-NPSCert.ps1, passing the new certificate's thumbprint automatically with the following paramaters.

-CertThumbprint {CertThumbprint} -ImportConfig -RestartIAS -Confirm:$false

This turns a manual maintenance task into a fully automated, set-and-forget process.

You can find the full script and documentation in the repository.