Home > General Administration > Other Topics > Certificate Requirements for TLS

Certificate Requirements for TLS

Transport Layer Security (TLS) is used to encrypt communication between Cisco Meraki devices and a Domain Controller or identity server (running Active Directory or LDAP services). TLS is a prerequisite to the following configurations:

TLS is also a prerequisite for MS-CHAPv2 with RADIUS.

To use TLS, a certificate with the appropriate parameters must be installed on the Domain Controller. This article outlines the necessary certificate parameters for TLS.

Adding a Certificate

Though an existing certificate can be modified to meet the parameters outlined below, a self-signed certificate can easily be configured and used for TLS.

It is important to remember that self-signed certificates are not recommended for production environments. A Certificate Authority (CA) signed certificate is more secure and is considered best practice.


Please refer to our documentation for instructions to add a self-signed certificate in Windows Server.

For RADIUS servers or other identity providers, please refer to your server provider's documentation for configuration steps.

Configuring a Certificate for TLS

The following notes describe certificate parameters used in Windows Server, but can be generalized for any certificate's parameters.

Under the General tab, check for the following attributes:

  • The server must have the corresponding private key. To verify that the private key exists, view the General tab of the certificate and verify that you see the following message: "You have a private key that corresponds to this certificate".
  • Verify that the following statement appears: "This certificate is intended for the following purpose(s): Proves your identity to a remote computer". 
  • Check that the certificate is still valid, based on the "Valid from" values.



Under the Details tab:

  • The Version value must contain "v3", indicating that it is an X.509 Version 3 certificate.



  • The Enhanced Key Usage value must contain the Server Authentication certificate purpose (OID "").



  • The Subject value must contain the Fully Qualified Domain Name of the RADIUS server, e.g. myserver.mydomain.com. 
  • The Public key value should be set to "RSA (2048 Bits)".



  • The "Subject Alternative Name" value must contain the syntax "DNS Name=myserver.mydomain.com" where the the DNS name is the Fully Qualified Domain Name of your server. This is especially important when using an Active Directory-based PKI.



  • The Key usage must contain the "Digital Signature" and "Key Encipherment" values.
    Note: In Server 2012, this option may be available as "Data Encipherment."


Additional Resources

For more information on digital certificates, please see Microsoft's KB regarding Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.

For a general understanding of EAP-TLS or PEAP, please refer to documentation about the Extensible Authentication Protocol.

You must to post a comment.
Last modified
17:00, 22 Dec 2016



This page has no classifications.

Article ID

ID: 1706

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community