Re: Certificates on Floppy Disk?
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/03/04
- Next message: Marc: "Re: Certificates on Floppy Disk?"
- Previous message: Steven L Umbach: "Re: Certificates on Floppy Disk?"
- In reply to: Steven L Umbach: "Re: Certificates on Floppy Disk?"
- Next in thread: Marc: "Re: Certificates on Floppy Disk?"
- Reply: Marc: "Re: Certificates on Floppy Disk?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Sep 2004 20:07:26 -0500
I fired up my Windows 2003 domain controller to see how Certificate Services was
different and found out the ipsec offline template does have the "export keys" box
grayed out when used with Web Enrollment. What you need to do is create a "duplicate
template" of the ipsec offline template. Open up the CA Management Console and go to
certificate templates and then right click and select manage. Find the ipsec offline
template, right click and select duplicate. Create a duplicate template and name it
something bit different. Then go to the "request handling page" to check allow
private key to be exportable. Save the template and add it to list of available
templates. The link below explains a bit more.
I noticed after creating the new template that it does not appear in Web Enrollment
right away but after about 15 minutes it showed up [at least for me] and then allowed
me to check "mark keys as exportable" and create a certificate/private key in the
computer store. --- Steve
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ecvzFUUkEHA.3648@TK2MSFTNGP09.phx.gbl...
> Where did you see this when you try to export it from your certificate store?? If
> so you have to select the option for "mark keys as exportable" when you request the
> certificate via Web Enrollment. When I do this I am using a Windows 2000
> Enterprise Certificate Authority and am logged onto the domain as a domain
> administrator when requesting the certificates. It may be a bit different for
> Windows 2003.--- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
> -- more details on Windows 2003 PKI.
>
> "Marc" <Marc.VanSchandevijl@-removethis-ping.be> wrote in message
> news:OAZFqNPkEHA.704@TK2MSFTNGP12.phx.gbl...
>> I've stumbled into a problem:
>>
>> select "mark keys as exportable"
>>
>> This option is greyed out.
>>
>> What could be the reason?
>>
>> Marc
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> schreef in bericht
>> news:%23jeR5cEkEHA.2908@TK2MSFTNGP10.phx.gbl...
>>> If you want to place the computer certificates on a floppy or email them
>> to the users
>>> follow these steps. This is assuming the use of an Enterprise CA and may
>> differ for a
>>> stand alone CA. Ipsec offline template needs to be added in the
>> Certificate Authority
>>> Management Console via policy settings/new - certificate to issue.
>>>
>>> -- Enable Web Enrollment on your CA and logon to it as an administrator.
>> You can use
>>> the computername as in http://CAservername/certsrv.
>>>
>>> -- Select request a certificate then next, select advanced request then
>> next, select
>>> submit a certificate to this CA then next.
>>>
>>> -- For certificate template select router (offline request). In
>> identifying
>>> information under name type the name of the computer you are requesting
>> for using the
>>> fully qualified domain name if in an AD domain as in
>> computer1.mydomain.com. The
>>> rest of the information in identifying information is optional. Under key
>> options
>>> select "mark keys as exportable" [ do not select export keys to a file]
>> and select
>>> "use local machine store". Them select submit ant the bottom of the page.
>>>
>>> -- The next page should sow that the certificate you requested was issue
>> to you and
>>> give you the option to install this certificate which you want to do. You
>> may receive
>>> warning messages along the way, just OK those messages.
>>>
>>> -- After done requesting certificates, go to your computer certificate
>> store by using
>>> mmc and selecting add snapin for certificates for computer account. Go to
>> the
>>> personal/certificates folder and you should see the certificates you
>> issued and
>>> installed. Right click one of those certificates and select all
>> tasks/export. The
>>> export wizard will start. Select next and choose yes for export the
>> private key and
>>> unselect enable strong protection as user will have to enter private key
>> password
>>> every time the private key is used unless you want that feature. Select
>> next and
>>> enter a password for the private key which will need to be communicated to
>> the end
>>> user in order to open the .pfx file you are going to create. The select a
>> filename
>>> and browse to where you want to save it. Select finish and you should get
>> a message
>>> that the export was successful.
>>>
>>> -- You can now distribute that file to the user that needs it. The will
>> open the file
>>> and need to enter the password you used to protect the private key. The
>> wizard will
>>> automatically install the private key/certificate. I have noticed that it
>> may install
>>> in the wrong store - user instead of computer and the certificate will not
>> work for
>>> L2TP. If that happens instruct the user to open their mmc snapin for
>> computer store
>>> to see if the certificate is present. If it is not, they will have to go
>> to the
>>> personal folder for the computer store and select import and then browse
>> to the .pfx
>>> file to install it to the computer store.
>>>
>>> -- The computer will also need to have the certificate for your
>> Certificate Authority
>>> in their Trusted Root CA folder in the mmc snapin for computer accounts.
>> You can
>>> easily export your CA certificate [no need for private key] to a .cer file
>> and
>>> distribute that to users also to import into their computer. If they open
>> the file
>>> the wizard should automatically install that certificate for your CA in
>> the right
>>> folder. --- Steve
>>>
>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>> news:OK$TuxDkEHA.3664@TK2MSFTNGP12.phx.gbl...
>>> > You can use Web Enrollment and have user request the machine certificate
>> that way,
>>> > though the user will need to be in the local administrator group and do
>> an advanced
>>> > request for router offline certificate and select install to local
>> machine store
>>> > [at least if using an Enterprise CA - may differ a bit for standalone
>> CA]. If this
>>> > is an Enterprise CA you will first have to enable the CA to issues the
>> offline
>>> > ipsec certificate. The link below may help. --- Steve
>>> >
>>> >
>> http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp
>>> >
>>> > "Marc" <Marc.VanSchandevijl@-removethis-ping.be> wrote in message
>>> > news:u5FigHDkEHA.2908@TK2MSFTNGP10.phx.gbl...
>>> >>I want to implement L2TP with a Certificate Server on SBS 2003.
>>> >>
>>> >> Normally to distribute the certificates to the clients, these have to
>> be
>>> >> connected to the network. Is there no other way? F.e. copying the
>>> >> certificate on a CD or Floppy, and then distributing the certificate to
>> the
>>> >> client-Pc with this CD/Floppy...
>>> >>
>>> >> How can this been done?
>>> >>
>>> >> Marc
>>> >>
>>> >>
>>> >
>>> >
>>>
>>>
>>
>>
>
>
- Next message: Marc: "Re: Certificates on Floppy Disk?"
- Previous message: Steven L Umbach: "Re: Certificates on Floppy Disk?"
- In reply to: Steven L Umbach: "Re: Certificates on Floppy Disk?"
- Next in thread: Marc: "Re: Certificates on Floppy Disk?"
- Reply: Marc: "Re: Certificates on Floppy Disk?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
