Re: Certificates on Floppy Disk?
From: Marc (Marc.VanSchandevijl_at_-removethis-ping.be)
Date: 09/03/04
- Next message: SA: "Host firewall on DC"
- Previous message: Marc: "Re: Certificates on Floppy Disk?"
- In reply to: Marc: "Re: Certificates on Floppy Disk?"
- Next in thread: Steven L Umbach: "Re: Certificates on Floppy Disk?"
- Reply: Steven L Umbach: "Re: Certificates on Floppy Disk?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Sep 2004 14:27:40 +0200
Can it have something to do with the fact that the copy of the certificate
states:
'Minimim supported CAs: Windows Server 2003, ENTERPRISE Edition,'
Where the original stated: 'Windows 2000'
If yes, is there a solution for this, as I don't have the Enterprise
Edition...
Marc
"Marc" <Marc.VanSchandevijl@-removethis-ping.be> schreef in bericht
news:eX0gHDbkEHA.3552@TK2MSFTNGP12.phx.gbl...
> It seems with every step I stumble into a new problem. I can't say the
> procedure is very straightforward...
>
> > Save the template and add it to list of available templates.
>
> I made the new template, saved it, but then... How can I put it in the
list
> of available templates. When I 'Certificate Template to Issue' I see a
list,
> but my new template isn't in this list...
>
> Marc
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> schreef in bericht
> news:u9lKUKVkEHA.1048@tk2msftngp13.phx.gbl...
> > I fired up my Windows 2003 domain controller to see how Certificate
> Services was
> > different and found out the ipsec offline template does have the "export
> keys" box
> > grayed out when used with Web Enrollment. What you need to do is create
a
> "duplicate
> > template" of the ipsec offline template. Open up the CA Management
Console
> and go to
> > certificate templates and then right click and select manage. Find the
> ipsec offline
> > template, right click and select duplicate. Create a duplicate template
> and name it
> > something bit different. Then go to the "request handling page" to check
> allow
> > private key to be exportable. Save the template and add it to list of
> available
> > templates. The link below explains a bit more.
> >
> >
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/ctcon_howto_new.asp
> >
> > I noticed after creating the new template that it does not appear in Web
> Enrollment
> > right away but after about 15 minutes it showed up [at least for me] and
> then allowed
> > me to check "mark keys as exportable" and create a certificate/private
key
> in the
> > computer store. --- Steve
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:ecvzFUUkEHA.3648@TK2MSFTNGP09.phx.gbl...
> > > Where did you see this when you try to export it from your certificate
> store?? If
> > > so you have to select the option for "mark keys as exportable" when
you
> request the
> > > certificate via Web Enrollment. When I do this I am using a Windows
> 2000
> > > Enterprise Certificate Authority and am logged onto the domain as a
> domain
> > > administrator when requesting the certificates. It may be a bit
> different for
> > > Windows 2003.--- Steve
> > >
> > >
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
> > > -- more details on Windows 2003 PKI.
> > >
> > > "Marc" <Marc.VanSchandevijl@-removethis-ping.be> wrote in message
> > > news:OAZFqNPkEHA.704@TK2MSFTNGP12.phx.gbl...
> > >> I've stumbled into a problem:
> > >>
> > >> select "mark keys as exportable"
> > >>
> > >> This option is greyed out.
> > >>
> > >> What could be the reason?
> > >>
> > >> Marc
> > >>
> > >> "Steven L Umbach" <n9rou@nospam-comcast.net> schreef in bericht
> > >> news:%23jeR5cEkEHA.2908@TK2MSFTNGP10.phx.gbl...
> > >>> If you want to place the computer certificates on a floppy or email
> them
> > >> to the users
> > >>> follow these steps. This is assuming the use of an Enterprise CA and
> may
> > >> differ for a
> > >>> stand alone CA. Ipsec offline template needs to be added in the
> > >> Certificate Authority
> > >>> Management Console via policy settings/new - certificate to issue.
> > >>>
> > >>> -- Enable Web Enrollment on your CA and logon to it as an
> administrator.
> > >> You can use
> > >>> the computername as in http://CAservername/certsrv.
> > >>>
> > >>> -- Select request a certificate then next, select advanced request
> then
> > >> next, select
> > >>> submit a certificate to this CA then next.
> > >>>
> > >>> -- For certificate template select router (offline request). In
> > >> identifying
> > >>> information under name type the name of the computer you are
> requesting
> > >> for using the
> > >>> fully qualified domain name if in an AD domain as in
> > >> computer1.mydomain.com. The
> > >>> rest of the information in identifying information is optional.
Under
> key
> > >> options
> > >>> select "mark keys as exportable" [ do not select export keys to a
> file]
> > >> and select
> > >>> "use local machine store". Them select submit ant the bottom of the
> page.
> > >>>
> > >>> -- The next page should sow that the certificate you requested was
> issue
> > >> to you and
> > >>> give you the option to install this certificate which you want to
do.
> You
> > >> may receive
> > >>> warning messages along the way, just OK those messages.
> > >>>
> > >>> -- After done requesting certificates, go to your computer
certificate
> > >> store by using
> > >>> mmc and selecting add snapin for certificates for computer account.
Go
> to
> > >> the
> > >>> personal/certificates folder and you should see the certificates you
> > >> issued and
> > >>> installed. Right click one of those certificates and select all
> > >> tasks/export. The
> > >>> export wizard will start. Select next and choose yes for export the
> > >> private key and
> > >>> unselect enable strong protection as user will have to enter private
> key
> > >> password
> > >>> every time the private key is used unless you want that feature.
> Select
> > >> next and
> > >>> enter a password for the private key which will need to be
> communicated to
> > >> the end
> > >>> user in order to open the .pfx file you are going to create. The
> select a
> > >> filename
> > >>> and browse to where you want to save it. Select finish and you
should
> get
> > >> a message
> > >>> that the export was successful.
> > >>>
> > >>> -- You can now distribute that file to the user that needs it. The
> will
> > >> open the file
> > >>> and need to enter the password you used to protect the private key.
> The
> > >> wizard will
> > >>> automatically install the private key/certificate. I have noticed
that
> it
> > >> may install
> > >>> in the wrong store - user instead of computer and the certificate
will
> not
> > >> work for
> > >>> L2TP. If that happens instruct the user to open their mmc snapin for
> > >> computer store
> > >>> to see if the certificate is present. If it is not, they will have
to
> go
> > >> to the
> > >>> personal folder for the computer store and select import and then
> browse
> > >> to the .pfx
> > >>> file to install it to the computer store.
> > >>>
> > >>> -- The computer will also need to have the certificate for your
> > >> Certificate Authority
> > >>> in their Trusted Root CA folder in the mmc snapin for computer
> accounts.
> > >> You can
> > >>> easily export your CA certificate [no need for private key] to a
.cer
> file
> > >> and
> > >>> distribute that to users also to import into their computer. If they
> open
> > >> the file
> > >>> the wizard should automatically install that certificate for your CA
> in
> > >> the right
> > >>> folder. --- Steve
> > >>>
> > >>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > >>> news:OK$TuxDkEHA.3664@TK2MSFTNGP12.phx.gbl...
> > >>> > You can use Web Enrollment and have user request the machine
> certificate
> > >> that way,
> > >>> > though the user will need to be in the local administrator group
and
> do
> > >> an advanced
> > >>> > request for router offline certificate and select install to local
> > >> machine store
> > >>> > [at least if using an Enterprise CA - may differ a bit for
> standalone
> > >> CA]. If this
> > >>> > is an Enterprise CA you will first have to enable the CA to issues
> the
> > >> offline
> > >>> > ipsec certificate. The link below may help. --- Steve
> > >>> >
> > >>> >
> > >>
>
http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp
> > >>> >
> > >>> > "Marc" <Marc.VanSchandevijl@-removethis-ping.be> wrote in message
> > >>> > news:u5FigHDkEHA.2908@TK2MSFTNGP10.phx.gbl...
> > >>> >>I want to implement L2TP with a Certificate Server on SBS 2003.
> > >>> >>
> > >>> >> Normally to distribute the certificates to the clients, these
have
> to
> > >> be
> > >>> >> connected to the network. Is there no other way? F.e. copying the
> > >>> >> certificate on a CD or Floppy, and then distributing the
> certificate to
> > >> the
> > >>> >> client-Pc with this CD/Floppy...
> > >>> >>
> > >>> >> How can this been done?
> > >>> >>
> > >>> >> Marc
> > >>> >>
> > >>> >>
> > >>> >
> > >>> >
> > >>>
> > >>>
> > >>
> > >>
> > >
> > >
> >
> >
>
>
- Next message: SA: "Host firewall on DC"
- Previous message: Marc: "Re: Certificates on Floppy Disk?"
- In reply to: Marc: "Re: Certificates on Floppy Disk?"
- Next in thread: Steven L Umbach: "Re: Certificates on Floppy Disk?"
- Reply: Steven L Umbach: "Re: Certificates on Floppy Disk?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
