I am trying to set up PEAP-MS-Chap v2 authentication for my VPN on a Windows 2003 SP2 server using a self-signed certificate. I have meticulously followed the PEAP certificate requirements when issuing the certificate as outlined here (i.e. subject name not empty, public key algorithm of RSA, minimum key length 2048 and an extended key usage of server authentication). More specifically, using the MakeCert utility of the Windows SDK, this is the command that I used to create the server certificate:
Makecert.exe -r -pe -n CN="WV21066" -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048 server.cer
I then installed the certificate in the server's certificate store (localmachine) under "Trusted Root Certificate Authorities". However when I now try to select the certificate for PEAP in the Routing and Remote Access Snap-in, I keep getting an error message saying there is no suitable certificate installed ("A certificate could not be found that can be used with this Extensible Authentication protocol", see here).
Examining the certificate in Windows Explorer, I can see that it lists Server Authentication (1.3.6.1.5.5.7.3.1) under the "Enhanced Key Usage" property and that its public key (RSA) has a length of 2048 and that the subject property corresponds to CN = WV21066.
Is there anything I'm missing?
