Overview
Often I deploy wireless networks with 802.1X PEAP authentication into Windows Active Directory environments which do not have an existing Enterprise Root Certificate Authority (CA). In environments where there are no further requirements for an Enterprise Root CA, I prefer the simplicity of using self-signed certificates on Windows 2008/2008 R2 based RADIUS servers running Network Policy Server (NPS). These servers are generally Active Directory domain controllers.
Note: Enterprise Root CA services need to be designed and implemented properly rather than simply installed on a whim to generate a certificate!
Issue
So the problem is that it is not possible to generate a self-signed certificate on Windows Server 2008/2008 R2 without installing IIS 7.0 (do you really want IIS on your DCs?) or OpenSSL.
Solution
Back in IIS6 we had a tool called SelfSSL to generate and assign self-signed certificates. SelfSSL is bunded with Microsoft’s IIS 6.0 Resource Kit Tools
SelfSSL is technically not compatible with IIS 7.0 however I have discovered that we can still use it to generate a self-signed certificate on newer servers!
Download and install SelfSSL (do not bother selecting any other components of the IIS 6.0 Resource Kit Tools)
Launch SelfSSL by going to Start >Programs > IIS Resources > SelfSSL > SelfSSL (Note: You must run SelfSSL elevated as an Administrator, thanks to Nick for clarifying below!)
selfssl.exe /N:CN=fqdn.of.radius.server /K:1024 /V:1825
The above command will generate a new certificate with a key length of 1024 and a validity period of 5 years (1825 days).
When prompted to overwrite the settings for site 1, answer with yes. An error opening the metabase will appear but can be ignored due to IIS 6.0 not being installed on the server.
You will now be able to find the certificate in the local computer certificate store ready for use in your NPS policies or export to other servers/devices!