Re: Offline creation of machine certificates for VPN access
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/15/05
- Previous message: Steven L Umbach: "Re: Remote Desktop security"
- In reply to: Gerbil: "Offline creation of machine certificates for VPN access"
- Next in thread: S. Pidgorny
: "Re: Offline creation of machine certificates for VPN access" - Reply: S. Pidgorny
: "Re: Offline creation of machine certificates for VPN access" - Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 14 Feb 2005 21:48:07 -0600
You could let your remote users request via Web Enrollment. If you don't
want to expose your IIS server to the internet, allow those clients to
connect via pptp and then request a certificate via Web Enrollment
[http://certificateserver/certsrv]. You can still maintain security of your
VPN by configuring Remote Access Policy to only allow those users known to
not have a certificate to use pptp. You also could request the certificates
for those computers via Web Enrollment yourself if you can configure the
ipsec offline certificate [ Windows 2000 Enterprise CA] or computer
certificate that you request to have exportable keys [Windows 2003
Enterprise Server Enterprise CA]. You would have to enter the computer's
name in the name field for the request. After the certificate is installed
on your computer, you could export the certificate and private key to a
password protected .pfx file to send to the remote user to install into the
computer certificate store on their computer. --- Steve
"Gerbil" <HartleysXB@yahoo.com> wrote in message
news:78ffa5eb.0502110111.9698a7f@posting.google.com...
> Folks :-
> I am trying to set up an L2TP / IPSec VPN based on Windows 2003
> servers and XP clients. Using autoenrollment and / or the certificate
> request wizard on XP everything works fine. However I want to allow
> access to some remote PCs, before I can do that I need to generate a
> machine certificate for them and I am struggling to work out how to do
> that.
>
> I believe the process I need to follow is documented in Advanced
> Certificate Enrollment & Management
> (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx)
> Unfortunately the first step (more or less) is to run certreq.exe
> -new and supply an .inf file. I can't find any documentation about the
> .inf file that I need to supply. I note that certreq -new /? at the
> end gives some clues. I've taken the newrequest section, popped that
> in a .inf file and when I run certreq -new it errors saying the
> certificate could not be renewed! (I want a new one, not to renew an
> existing one!)
>
> Can anyone please point me in the right direction with regards to the
> format of that file and offline / command line machine certificate
> generation in general?
>
> Many thanks
>
> Kevin
- Previous message: Steven L Umbach: "Re: Remote Desktop security"
- In reply to: Gerbil: "Offline creation of machine certificates for VPN access"
- Next in thread: S. Pidgorny
: "Re: Offline creation of machine certificates for VPN access" - Reply: S. Pidgorny
: "Re: Offline creation of machine certificates for VPN access" - Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
