Microsoft KB Archive/323342

= How to install a certificate for use with IP Security in Windows Server 2003 =

Article ID: 323342

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



This article was previously published under Q323342



For a Microsoft Windows 2000 version of this article, see 253498.

IN THIS TASK

 * SUMMARY
 * Install a Local Computer Certificate from a Stand-Alone Windows Certificate Authority
 * Install a Local Computer Certificate from an Enterprise Windows 2000 or a Windows Server 2003 Certificate Authority
 * Verify That the Local Computer Certificate Has Been Installed



SUMMARY
When IP Security (IPSec) is configured to use a Certificate Authority (CA) for mutual authentication, you must obtain a local computer certificate. This article describes how to install a local computer certificate for use with IPSec from a stand-alone Windows CA.

To obtain a local computer certificate, do one of the following:
 * Obtain this certificate from a third-party CA.
 * Install Certificate Services in Windows to create your own CA.

The request for the local computer certificate is requested by using HTTP. Because a local computer certificate must be used with IPSec, you must submit an advanced request to the CA to specify this.

When you are using a Local Certificate Authority, the CA must be set up to allow IPSEC certificates. The instructions in this article assume that you have permitted Client Authentication, IPSEC, and IPSEC (Offline Request). If you are missing these during the request, you must correctly set up your CA before you continue.

back to the top

Install a Local Computer Certificate from a Stand-Alone Windows Certificate Authority

 * 1) The request is a Web address that contains the IP address or name of the Certificate server, with &quot;/certsrv&quot; appended. In your Web browser, type the following Web address

http:// /certsrv

where  is the IP address or name of the Certificate server.
 * 1) On the initial Welcome page of the Certificate server, click Request a certificate, and then click Next.
 * 2) On the Choose Request Type page, click Advanced request, and then click Next.
 * 3) On the Advanced Certificate Requests page, click Submit a certificate request to this CA using a form, and then click Next.
 * 4) On the Advanced Certificate Request page, type your name and your e-mail name in the appropriate boxes.
 * 5) Under Type of certificate Needed, click Client Authentication Certificate or IPSec Certificate.

If you click IPSec Certificate, this certificate will only be used for IPSec.
 * 1) Under Key Options, click Microsoft Base Cryptographic Provider v1.0, click Signature for Key Usage, and then click 1024 for Key Size.
 * 2) Leave the Create new key set option selected (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store.
 * 3) Leave all the other options set to the default value unless you have to make a specific change.
 * 4) Click Submit.

If the Certificate Authority is configured to issue certificates automatically, the Certificate Issued page appears.
 * 1) Click Install this Certificate.

The Certificate Installed page appears with the following message: &quot;Your new certificate has been successfully installed.&quot;
 * 1) If the Certificate Authority is not configured to issue certificates automatically, a Certificate Pending page appears and requests that you wait for an administrator to issue the certificate that was requested.

To retrieve a certificate that an administrator has issued, return to the Web address, and then click Check on a pending certificate. Click the requested certificate, and then click Next.

If the certificate is still pending, the Certificate Pending page appears. If the certificate has been issued, the Install This Certificate page appears.

back to the top

Install a Local Computer Certificate from an Enterprise Windows Certificate Authority

 * 1) The request is a Web address that contains the IP address or name of the Certificate server, with /certsrv appended. In your Web browser, type the following Web address

http:// /certsrv

where  is the IP address or name of the Certificate server.
 * 1) If the computer that you are using is not logged on to the domain already, you are prompted to supply domain credentials.
 * 2) On the initial Welcome page of the Certificate server, click Request a Certificate, and then click Next.
 * 3) On the Choose Request Type page, click Advanced Request, and then click Next.
 * 4) On the Advanced Certificate Requests page, click Submit a certificate request to this CA using a form, and then click Next.
 * 5) On the Advanced Certificate Request page, click IPSEC (Offline Request) for the Certificate Template option. Restart Certificate services.
 * 6) Open the Certificate Authority snap-in, right-click Policy Settings, click New, click Certificate to Issue, select IPSec (Offline Request), and then click OK.

Note By default, this template is not listed on an Enterprise CA.
 * 1) Under Key Options, click Microsoft Base Cryptographic Provider v1.0, click Signature for Key Usage and then click 1024 for Key Size.
 * 2) Leave the Create new key set option selected (you can clear the Container Name check box unless you want to specify a name), and then click Use local machine store.
 * 3) Leave all the other options set to the default value unless you have to make a specific change.
 * 4) Click Submit.

The Certificate Issued page appears.
 * 1) Click Install this Certificate. The Certificate Installed page appears with the following message:

Your new certificate has been successfully installed.

back to the top

Verify That the Local Computer Certificate Has Been Installed
After the certificate is installed, verify the location of the certificate by using the Certificate (Local Computer) snap-in in the Microsoft Management Console (MMC). Your certificate appears under Personal.

If the certificate that you have installed does not appear here, the certificate was installed as a user certificate request, or you did not click Use local machine store in the advanced request.

back to the top

Additional query words: kbsecurity l2tp

Keywords: kbsecurityservices kbenv kbhowtomaster kbipsec kbtool KB323342

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.