Re: Using Certificates with IPSEC

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 01/28/05 

Date: Fri, 28 Jan 2005 15:33:54 -0600

In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
Scotty@discussions.microsoft.com says...
> How do you implement IPSEC using Certificates? Right now I have it set up
> with Kerberos. Does the Client/Server have to have each others Certificate,
> etc?
>
Both endpoints (computers) must have a certificate that chains to the
same root CA, or to CAs that are trusted by the opposite endpoint.

Brian

Relevant Pages

  • Re: Kerberos 5 certified under NIST 140-2.
    ... "Windows build of FIPS 1.1.1 is not thread-safe" which lead to some ... is the OpenSSL certificate. ... Kerberos 5 certified under NIST 140-2. ... Appendix A describes the documentation that is necessary. ...
    (comp.protocols.kerberos)
  • RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap))
    ... For users of Fedora Core releases ... >> Your certificate creation method did not work. ... I have successfully gotten LDAP to run, ... Also still messing with kerberos and trying to get the nuances ...
    (Fedora)
  • Re: Accessing security information from an authentication provider
    ... There's no password to feed into kerberos or NTLM.. ... I'm not sure whether it's even possible to do KERB_CERTIFICATE_LOGON using a bare certificate/key pair, or if the kerberos provider will always try to call into the "Smart Card Module Functions" ... So to summarize in different terms, my goal is to "add" a way for AD's kerberos to give me a logon session and TGT, and leave other forms of auth alone. ... This problem reduces to "how do I get kerberos to work without a smart card or password" (but possibly with a certificate) ...
    (microsoft.public.platformsdk.security)
  • Re: CA and smart card logon kerberos error
    ... The error maps to the information below in the Troubleshooting Kerberos ... Associated internal windows error codes ... This can happen because the wrong certificate authority ... > smartcard logon requires full certificate path validation. ...
    (microsoft.public.windows.server.security)
  • Re: X.509 Interop
    ... Does anyone here have experience setting up the KCA server? ... Since the intent is that the certificates are short term based on the life of the Kerberos ticket, there are no CRLs ... The KCA has a Kerberos service principal like any other Kerberos ... certificate, and returns the certificate to the kx509 client. ...
    (comp.protocols.kerberos)