Re: Exportable computer certificate
From: Jarryd (Jarryd_at_youllneverknow.com)
Date: 03/02/05
- Next message: Miha Pihler [MVP]: "Re: Users cannot change password"
- Previous message: rahul: "RE: User's can't access directory, even though permissions show as cor"
- In reply to: Steven L Umbach: "Re: Exportable computer certificate"
- Next in thread: Jarryd: "Re: Exportable computer certificate"
- Reply: Jarryd: "Re: Exportable computer certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Mar 2005 14:17:55 -0000
Hi Steve,
Well I have Win 2003 Server Std. and I am not sure how to check what sort of
installation of CA I have (standalone or enterprise). When I try to enroll
over the web the check box for "mark as exportable is greyed out". So is
this not a problem? Tried to test this on a PC that doesn't have a
ceritificate installed at present and it failed. Looked in event viewer and
I had a DCOM "Access Denied" error. Followed the instructions to change the
permissions of the CLSID but the relevant key is not there. So not too sure
how to sort that one, or if it is even related. I will try and obtain one
(IPSec offline request) on my PC at home (which is a memember of my AD
domain) over the internet, again. I have tried this already I think but
perhaps not stored it in the local computer. It still didn't recognise the
certificate when I did it last but I'll try again and make sure I have done
it right this time. So "IPsec offline request" is good enough for my CA to
authenticate my PC and log me on using L2TP/VPN? All I need then is to meet
the criteria in the RRAS Policy and have a valid AD user account and pwd?
TIA,
Jarryd
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eAxmNWpHFHA.1392@TK2MSFTNGP10.phx.gbl...
>I guess I spoke too soon. This used to work fine for Windows 2000 CA but it
>was changed in Windows 2003 to not make the ipsec offline exportable. If
>you happen to be using a Windows 2003 Enterprise Server for the CA and it
>is an Enterprise CA you should have the ability to create version 2
>certificate templates by copying a version 1 template and then modifying
>the version 2 template to allow the private key to be exported. I don't
>know of a workaround offhand if you are not using Windows 2003 Enterprise
>Server for the CA other than to use the Web Enroll to request from the
>computer where you want to install the certificate for l2tp. Sorry for the
>confusion. --- Steve
>
>
> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
> news:uHbf9MnHFHA.2784@TK2MSFTNGP09.phx.gbl...
>> Ummm, one thing. Why can't I mark the key as exportable?
>>
>> TIA,
>>
>> Jarryd
>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>> news:O8losGnHFHA.2924@TK2MSFTNGP15.phx.gbl...
>>> You got my back back again Steve! You're the King!
>>>
>>> Thanks a mill!
>>>
>>> Jarryd
>>>
>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>> news:OVDAjEfHFHA.3912@TK2MSFTNGP10.phx.gbl...
>>>> It might be easiest to logon to the domain via pptp and request a
>>>> certificate via Web Enrollment when connected to the domain. You can
>>>> use Remote Access Policies to restrict which users can connect via pptp
>>>> and then disable it when done. Otherwise use Web Enrollment from within
>>>> the network to request a certificate for your computer. You will fist
>>>> need to enable the ipsec offline template. Then request the certificate
>>>> with advanced request and make sure you request ipsec offline. The
>>>> enter the name of your computer that you are requesting the certificate
>>>> for and make sure you select that the keys are exportable and to
>>>> install into the computer store. After you are done use the
>>>> certificates for computer mmc snapin on the computer where you made the
>>>> request from, go to the personal certificates folder, find the
>>>> certificate, select all tasks - export, make sure that you select to
>>>> export the private key and to download all certificates in the path,
>>>> and then export to a password protected .pfx file. Do NOT select use
>>>> strong private key protection when you export the private key. Then
>>>> install the certificate on your laptop by going to the computer
>>>> certificate store on your laptop and select import from the
>>>> personal/certificates folder browsing to the .pfx file you created. You
>>>> can simply double click the .pfx file to start the install wizard but
>>>> by manually importing it you will make sure it is installed to the
>>>> computer store. Also verify that your CA's certificate is shown in the
>>>> trusted root CA folder. If you want to disable Web Enrollment you can
>>>> stop/disable the WWW service on the CA or delete the virtual website
>>>> for Web Enrollment that you can again create later with certutil -vroot
>>>> command. --- Steve
>>>>
>>>>
>>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>>> news:%23bA28WYHFHA.2420@TK2MSFTNGP14.phx.gbl...
>>>>> Hello,
>>>>>
>>>>> I have set up VPN access on my RRAS server and it is working well. I
>>>>> have only allowed L2TP/IPSec type connections. I have installed
>>>>> computer certificates on laptops using my Win2K3 CA. What I want to
>>>>> do now is create a computer certificate that I can put on disk and
>>>>> install on my PC at home, which is obviously not part of my domain nor
>>>>> connected to my LAN. The only thing that is stopping it from
>>>>> connecting is that I do not have a valid computer certificate
>>>>> installed on my home PC. Does anyone now how you do this?
>>>>>
>>>>> The second thing I would like to do is disable access to my CA using
>>>>> http://CA.IP.Address/certsrv so that obtaining such a certificate is
>>>>> not possible via this method. At the moment it isn't and you would
>>>>> have to know a valid logon and password, but I only want to distribute
>>>>> these certificates manually using a disk. Is this possible?
>>>>>
>>>>> Kindest regards,
>>>>>
>>>>> Jarryd
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Miha Pihler [MVP]: "Re: Users cannot change password"
- Previous message: rahul: "RE: User's can't access directory, even though permissions show as cor"
- In reply to: Steven L Umbach: "Re: Exportable computer certificate"
- Next in thread: Jarryd: "Re: Exportable computer certificate"
- Reply: Jarryd: "Re: Exportable computer certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
