I am in the process of implementing 802.1x for both wired, and wireless clients. In the Microsoft guides that I have read, it states that Server Enterprise or Datacenter is required for Version 2 templates, duplicating/modifying templates, autoenrollment, role separation enforcement, and key archival/retrieval. Which I wouldn't question except, I have a lab setup with a DC/CA/NPS server configured as an Enterprise Certificate Authority on Server 08 R2 Standard. In this lab environment I was able to duplicate the RAS/IAS cert for the NPS server and autoenroll. And duplicate and autoenroll the computer cert. My first question is, Why is Server 08 Enterprise or Datacenter required for autoenrollment? Are there any drawbacks to using Server 08 R2 Standard? Client Limitation or Security? My Second question is, What is the recommended validity and renewal period for the RAS/IAS cert and the computer cert?

Hi, Thanks for posting in Microsoft TechNet forums. I don't think Enterprise or Datacenter version is required for Certificate Autoenrollment. Windows Server 2008 R2 Standard also supports Certificate Autoenrollment. Configure Certificate Autoenrollment http://technet.microsoft.com/en-us/library/cc731522.aspx Have a nice day. Regards Kevin

Auto-enrollment for V2 and V3 certificates on a CA running Server Standard was added in 2008 R2. In versions prior to 2008 R2, Enterprise or Datacenter was required. There are however still some limitations to using the Standard bits in lieu of Enterprise for an Enterprise CA. This wiki article has the full matrix as it applies to 2008 R2: http://social.technet.microsoft.com/wiki/contents/articles/1137.active-directory-certificate-services-ad-cs-overview.aspx#Features One big one since you are looking at 802.1X is the lack of OSCP and NDES in Standard Edition. Some network devices require the use of OCSP or NDES, so you would need to implement at least Enterprise edition in that case. Edit: Regarding validity, if you use 2048-bit keys they are good for the foreseeable future (up to 2030, according to RSA). I personally would feel safe with something between 5-10 years, maybe 7 to split the difference.