IPSEC with certificates on Windows XP (Certificate donīt have a private key )

tnickel_at_gmx.de
Date: 03/08/05

  • Next message: Valery Pryamikov: "Re: Raw RSA operations with CryptDecrypt" 
    Date: 8 Mar 2005 08:57:36 -0800

    Hallo,
    I have a question for the Microsoft CSP and IPSEC.

    Short system description:
    I have installed a small network of 4 computers. Two Windows XP
    computers and two windows 2000 computers.
    At one windows 2000 computer I have installed a Microsoft CA.

    Short error description:
    I installed IPSEC on all four computers.

    a) IPSEC works fine with preshared keys on all four machines ==> This
    means, the configuration of IPSEC is correct.

    b) IPSEC works fine with windows 2000 and certificates ==> This means
    I have understood the signing- mechanism and the configuration of the
    four machines is correct. But IPSEC donīt work on XP machines !!

    I generated certificate requests and signed this requests via.
    Microsoft CA (Windows2000- Server).

    I imported this singed request into the 2000 machines.
    After import the signed requests have a corresponding private key on
    the windows 2000 computers.

    But on the XP machines are no corresponding private keys !!!

    My questions:
    a) My question is: Is where a difference for certreq.exe between 2000
    and XP ?
    b) How windows find the corresponding private key in the import-
    process ?
    c) Why my XP doesn't have a corresponding private key ? I think this
    is the reason why my IPSEC don't work on XP. What is wrong in my XP
    configuration ?

    The program certreq.exe generate a certificate request.

    I set the attribute UseExistingKeySet = FALSE this means, that the
    Microsoft generate a new keypair and the public key will be exported
    by certreq in the request file.

    [NewRequest]
    KeySpec = 1
    KeyLength = 1024
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = FALSE
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
    ProviderType = 1
    RequestType = PKCS10
    KeyUsage = 0xa0
    Subject = "CN=Thomas Nickel, OU=P54, O=Wincor-Nixdorf"
    [Extensions]
    2.5.29.17=MAaHBMCoAQE=

     
    Long error description for XP
    XP a) In the first step I deleted all personal certificates of the
    local Computer-store and the current user-store.

    Abbildung 1: The personal certificate store of local computer is empty

    Abbildung 2: The personal certificate store of the current user is
    empty

    XP b) I attached the registry for windows system certificates this
    email.
    This registry has the state before certificate generation.
    See attached file "3_registry_before_certreq.reg"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\disallowed]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\disallowed\Certificates]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\disallowed\CRLs]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\disallowed\CTLs]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\CRLs]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\CTLs]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Keys]
    Abbildung 3: Snappshoot of the registry
    XP c) I call "certreq -new certreq.inf"
    with:
    certreq.inf
    [NewRequest]
    KeySpec = 1
    KeyLength = 1024
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = FALSE
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
    ProviderType = 01
    RequestType = PKCS10
    KeyUsage = 0xa0
    Subject = "CN=Thomas Nickel, OU=P54, O=Wincor-Nixdorf"
    [Extensions]
    2.5.29.17=MAaHBMCoAQE=

    The certrequest has a corresponding key, see pic below

     
    XP d) I attached the generated request this email see
    "certrequest_xp.req"

    XP e) I send this request to the 2000computer with the microsoft CA
    for signing
    See pictures below for the singing process
    Abbildung 4: Send request to CA
    Abbildung 5: Submit request
    Abbildung 6: Get signed request form CA
    See attached the result- file "certrequest_xp_signed..cer"

    XP f) I imported this signed request into the
    "localComputer/Personal/Certificatestore"
    See the picture below

    XP g) After importing the certificate donīt have a corresponding
    private key

    XP h) I attached the registry after import of the signed request this
    email, see attached file "5_registry_after_importing_signed.reg

    Description for 2000
    I do the same for 2000 but the result is different, after importing
    the signed certificate, this certificate has a corresponding private
    key.

    On Windows 2000 all with IPSEC works fine.

  • Next message: Valery Pryamikov: "Re: Raw RSA operations with CryptDecrypt"

    Relevant Pages

    • Re: VS 2003 hangs after installing Windows XP Service Pack 2 ?
      ... I think I have found what was causing the problem. ... to make two of my computers talk to each other, ... Usually when the request comes from an external system I say "block", ... things that apparently didn't work after installing Windows XP SP2, ...
      (microsoft.public.dotnet.languages.vb)
    • Re: IpSEC in Windows an Unix system
      ... create an ipsec policy for Windows 2000/XP Pro/W2003 domain computers via ... Windows comes with three default configured ipsec policies ... ipsec security associations with Windows 2000 computers and the mmc Ipsec ...
      (microsoft.public.win2000.security)
    • Re: 2000 Server access
      ... Policy of the server to include only the users of the non XP Computers. ... You could also use ipsec to control access to the server if all the other computers ... Windows 2000 computers as client/respond policy. ... administrator to configure ipsec policy in Local Security Policy for a computer. ...
      (microsoft.public.win2000.security)
    • How to change of interval for secure identifier request!
      ... Windows XP clients, request a new secure ... This "safety card" insures that the computers, ... This of cause also means that the new SID that the clients receive ... In Windows 2000, I used to change the interval at which the clients ...
      (microsoft.public.windowsxp.security_admin)
    • stand by
      ... tried to follow links re other computers but I cant get there! ... 3500 on windows XP, when I manually put computer onto stand by mode it ... appears to come back on on request but i get nothing on the screen, ...
      (microsoft.public.windowsxp.help_and_support)