Renewing 802.1x Certs on the Client

New Contributor II

Hi Everyone,

Anyone who is using 802.1x authentication has gone through the cert renewal process? Our expiration date is coming up shortly and we are trying to come up with a way to push out a new certificate, without breaking the existing authentication.

I can deploy a new System Profile, which includes the cert and credentials for the wireless network but unless the new policy/certificate is the first in the policy list (NPS, 2008R2) my authentication is broken.

Just wondering if anyone here had any experience with that.

Thank you,



New Contributor

I am trying to figure this out. Has there been any updates to this?


The way I have done this in the past is to push out two completely new profiles with the new cert. I use two as sometimes one seems to disappear by itself and having two profiles reduces the chance of both going missing at the same time.

I then create a smart group that contains the devices that have both the two new profiles as the criteria. I then modify the scope of the old profile to exclude the members of the new smart group. Save the profile and "Distribute to Newly Assigned Devices Only" Do not Distribute to All or most devices will likely loss their connection.

After a month or two I delete the old profile and the smart group.