Re: Offline creation of machine certificates for VPN access
From: Gerbil (HartleysXB_at_yahoo.com)
Date: 02/22/05
- Next message: Paul Adare: "Re: Now that SHA-1 is cracked..."
- Previous message: Galen: "Re: Now that SHA-1 is cracked..."
- In reply to: Dave W: "Re: Offline creation of machine certificates for VPN access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Feb 2005 17:08:34 -0800
Folks :-
Many thanks for your help so far (especially Dave W.)
Unfortunately even with the "CERTUTIL -setreg policy\EditFlags
+EDITF_ATTRIBUTESUBJECTALTNAME2" and a reboot of the server when I try
and request a new certificate it fails with "The DNS name is
unavailable and cannot be added to the subject alternate name.
0x8009480f"
The name is resolvable on the server by ping so why is certificate
services having such a problem?
Thanks again
Kevin
Dave W <DaveW@discussions.microsoft.com> wrote in message news:<2CAF836F-D8B7-4B42-8185-90962F610E8C@microsoft.com>...
> Kevin,
> I faced a similar challenge with getting certificates onto an ISA server
> which was in a separate forest to the CA. I did struggle to get sufficient
> information on certreq, but after persevering I can up with the following
> .inf file...
> [Version]
> Signature = "$Windows NT$"
> [NewRequest]
> EncipherOnly = FALSE
> Exportable = FALSE
> KeyLength = 1024
> KeySpec = 1
> MachineKeySet = TRUE
> PrivateKeyArchive = FALSE
> ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
> ProviderType = 12
> RequestType = CMC
> Silent = TRUE
> Subject = "CN=ISA1.Management.Local"
> UseExistingKeySet = FALSE
> UserProtected = FALSE
> [RequestAttributes]
> CertificateTemplate = "MyCompanyISAServer"
> SAN = "dns=isa1.management.local"
>
> Note: to include a SAN in a request you need to make the following change at
> the CA server to enable it to accept requests that include a SAN:
> CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
>
> Finally, here are some notes I made on the certreq tool...
> At ISA Server (Client)
> CERTREQ -new "isa1 server.inf" "a:\isa1 server.req"
>
> At CA Server
> CERTREQ -submit -config "CAHostName\CA Name" "a:\isa1 server.req"
> - Make a note of the request ID, e.g. "117"
>
> At CA Server (Out of Band)
> Accept the certificate request
>
> At CA Server
> CERTREQ -retrieve -config "CAHostName\CA Name" 117 "a:\isa1 server.cer"
>
> At CA Server (Out of Band)
> Retrieve CA Signing Certificate and Chain
> CERTUTIL -ca.chain -v "A:\CA_Chain.p7b"
>
> At ISA Server
> CERTREQ -accept "a:\isa1 server.cer"
>
> I hope some of this helps..
>
> Dave
>
>
> "S. Pidgorny <MVP>" wrote:
> > An easy way to provide cerrtificates to remote users is exporting the
> > certificate together with the private key in a PKCS #12 (.p12/.pfx) file and
> > sending it over e-mail. Do not include password for the file in the e-mail -
> > use telephone/snail mail instead. This is what we have done in my firs
> > implementation of PKI back in 1998.
> >
> > Note: Admin privilege is required to import file to the machine container.
> >
> > --
> > Svyatoslav Pidgorny, MVP, MCSE
> > -= F1 is the key =-
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:u7VZbExEFHA.2156@TK2MSFTNGP10.phx.gbl...
> > > You could let your remote users request via Web Enrollment. If you don't
> > > want to expose your IIS server to the internet, allow those clients to
> > > connect via pptp and then request a certificate via Web Enrollment
> > > [http://certificateserver/certsrv]. You can still maintain security of
> > your
> > > VPN by configuring Remote Access Policy to only allow those users known to
> > > not have a certificate to use pptp. You also could request the
> > certificates
> > > for those computers via Web Enrollment yourself if you can configure the
> > > ipsec offline certificate [ Windows 2000 Enterprise CA] or computer
> > > certificate that you request to have exportable keys [Windows 2003
> > > Enterprise Server Enterprise CA]. You would have to enter the computer's
> > > name in the name field for the request. After the certificate is installed
> > > on your computer, you could export the certificate and private key to a
> > > password protected .pfx file to send to the remote user to install into
> > the
> > > computer certificate store on their computer. --- Steve
> > >
> > >
> > > "Gerbil" <HartleysXB@yahoo.com> wrote in message
> > > news:78ffa5eb.0502110111.9698a7f@posting.google.com...
> > > > Folks :-
> > > > I am trying to set up an L2TP / IPSec VPN based on Windows 2003
> > > > servers and XP clients. Using autoenrollment and / or the certificate
> > > > request wizard on XP everything works fine. However I want to allow
> > > > access to some remote PCs, before I can do that I need to generate a
> > > > machine certificate for them and I am struggling to work out how to do
> > > > that.
> > > >
> > > > I believe the process I need to follow is documented in Advanced
> > > > Certificate Enrollment & Management
> > > >
> > (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
> > /security/advcert.mspx)
> > > > Unfortunately the first step (more or less) is to run certreq.exe
> > > > -new and supply an .inf file. I can't find any documentation about the
> > > > .inf file that I need to supply. I note that certreq -new /? at the
> > > > end gives some clues. I've taken the newrequest section, popped that
> > > > in a .inf file and when I run certreq -new it errors saying the
> > > > certificate could not be renewed! (I want a new one, not to renew an
> > > > existing one!)
> > > >
> > > > Can anyone please point me in the right direction with regards to the
> > > > format of that file and offline / command line machine certificate
> > > > generation in general?
> > > >
> > > > Many thanks
> > > >
> > > > Kevin
> > >
> > >
> >
> >
> >
- Next message: Paul Adare: "Re: Now that SHA-1 is cracked..."
- Previous message: Galen: "Re: Now that SHA-1 is cracked..."
- In reply to: Dave W: "Re: Offline creation of machine certificates for VPN access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
