Re: Using Certificates with IPSEC

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 01/28/05

• Next message: Kerodo: "Re: IPSEC"
• Previous message: Brian Komar: "RE: Using Subordinate CA's"
• In reply to: Scotty: "Re: Using Certificates with IPSEC"
• Next in thread: Louise Bowman [MSFT]: "Re: Using Certificates with IPSEC"
• Reply: Louise Bowman [MSFT]: "Re: Using Certificates with IPSEC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Jan 2005 16:10:40 -0600

In article <3922BF52-8930-4BC0-80E2-490DEED7D733@microsoft.com>,
Scotty@discussions.microsoft.com says...
> What is the process of trusting other computers for IPSEC using Certificates?
>
> "Brian Komar" wrote:
>
> > In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
> > Scotty@discussions.microsoft.com says...
> > > How do you implement IPSEC using Certificates? Right now I have it set up
> > > with Kerberos. Does the Client/Server have to have each others Certificate,
> > > etc?
> > >
> > Both endpoints (computers) must have a certificate that chains to the
> > same root CA, or to CAs that are trusted by the opposite endpoint.
> >
> > Brian
> >
>
1) You have to deploy the certificates to the two endpoint computers
2) Change the authentication method for the IP Security Rule to
certificates, rather than Kerberos or pre-shared keys. When you
designate the certificate on the AUthentication Methods tab, you then
designate the root CA certificate that must be used.

Correcting myself, you must use the same root CA on both ends. The CA
can be different CAs that chain to the same root CA.

Brian

• Next message: Kerodo: "Re: IPSEC"
• Previous message: Brian Komar: "RE: Using Subordinate CA's"
• In reply to: Scotty: "Re: Using Certificates with IPSEC"
• Next in thread: Louise Bowman [MSFT]: "Re: Using Certificates with IPSEC"
• Reply: Louise Bowman [MSFT]: "Re: Using Certificates with IPSEC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Convert Enterprise Root CA to Standalone CA and moving to Multiple Subordinate CA structure ... All computer workstation identification certs were pushed out via ... autoenrollment and as such they trust the root CA which was the one to ... have subordinate CAs at each remote location to issue certificates ... how would this affect the current computers having the ... (microsoft.public.windows.server.active_directory) Re: Certificate issue on Exchange ActiveSync setup (WM6) - UPDATE ... In the Certificates snap-in box it is very important you choose "Computer ... Finish out of the standalone boxes and view the Console Root window. ... should now see a Console Root folder, with a Certificates folder under it, ... (microsoft.public.pocketpc.activesync) Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc ... we will need to have trust ... As far as standard versus enterprise, ... If the root CA is compromised your whole PKI ... > your certificates then it would make sense to use your own CA. ... (microsoft.public.windows.server.security) Re: Public Key on Enterprise CA ... 2000 or Windows Server 2003 Enterprise CA. ... I see that Verisign will sell ... > digital certificates for about $15 per user. ... > savings by managing your own subordinate CA with Verisign as the root CA ... (microsoft.public.win2000.security) Re: Certificate Server Hierchy Question ... I think you you use an offline root CA, you will find the burden of manually ... I would like to make the site require client certificates. ... I will keep this server ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint