Re: Using Certificates with IPSEC

From: Louise Bowman [MSFT] (lbowman_at_online.microsoft.com)
Date: 01/29/05

• Next message: Steven L Umbach: "Re: Windows History"
• Previous message: MSM: "Re: Windows History"
• In reply to: Brian Komar: "Re: Using Certificates with IPSEC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Jan 2005 18:02:04 -0800

One more thing:
Make sure the certs are machine certs and not user certs.

-- 
Louise Bowman
(MSFT)
This posting is provided "AS IS" with no warranties, and confers no rights.
"Brian Komar" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1c64744c3faedf529896c2@msnews.microsoft.com...
> In article <3922BF52-8930-4BC0-80E2-490DEED7D733@microsoft.com>,
> Scotty@discussions.microsoft.com says...
> > What is the process of trusting other computers for IPSEC using
Certificates?
> >
> > "Brian Komar" wrote:
> >
> > > In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
> > > Scotty@discussions.microsoft.com says...
> > > > How do you implement IPSEC using Certificates?  Right now I have it
set up
> > > > with Kerberos.  Does the Client/Server have to have each others
Certificate,
> > > > etc?
> > > >
> > > Both endpoints (computers) must have a certificate that chains to the
> > > same root CA, or to CAs that are trusted by the opposite endpoint.
> > >
> > > Brian
> > >
> >
> 1) You have to deploy the certificates to the two endpoint computers
> 2) Change the authentication method for the IP Security Rule to
> certificates, rather than Kerberos or pre-shared keys. When you
> designate the certificate on the AUthentication Methods tab, you then
> designate the root CA certificate that must be used.
>
> Correcting myself, you must use the same root CA on both ends. The CA
> can be different CAs that chain to the same root CA.
>
> Brian

• Next message: Steven L Umbach: "Re: Windows History"
• Previous message: MSM: "Re: Windows History"
• In reply to: Brian Komar: "Re: Using Certificates with IPSEC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: How to extend validity period of Sub CA ... > I have an offline root CA ... > Any certs they issue to computers in AD expire in 2006 ... You have to start at the root CA computer and extend the validity period ... Then you have to set the validity periods for certificates issued by the ... (microsoft.public.win2000.security) Re: Slightly OT: SSL certs - best practice? ... Thus, I have created several certificates for Apache SSL hosts plus certificates for mail serving, etc. ... I'll probably get some "officially" signed certs. ... certificates signed by a CA that does not do a "real" verification of the requesting person by which I mean that you probably don't need to go somewhere and show some official ID to prove that you are in fact you. ... using an anon "class 1" root. ... (FreeBSD-Security) Re: Intermediate certificate not sent as a trusted CA ... Is there no way to configure IIS to download the intermediate certificates? ... Not all Root CA certs are downloaded. ... (microsoft.public.inetserver.iis.security) Re: How to fix broken security in Windows 2000? ... mvp) post all this stuff? ... >> involved in importing security certificates. ... > and Microsoft code signing are not proof that Microsoft is writing ... > past two days you have said that certs are missing, ... (microsoft.public.win2000.windows_update) Re: How to fix broken security in Windows 2000? ... mvp) post all this stuff? ... >> involved in importing security certificates. ... > and Microsoft code signing are not proof that Microsoft is writing ... > past two days you have said that certs are missing, ... (microsoft.public.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint