SUMMARY

When IP Security (IPSec) is configured to use a Certificate Authority (CA) for mutual authentication, you must obtain a local computer certificate. This article describes how to install a local computer certificate for use with IPSec from a stand-alone Windows CA.

To obtain a local computer certificate, do one of the following:

• Obtain this certificate from a third-party CA.
• Install Certificate Services in Windows to create your own CA.

The request for the local computer certificate is requested by using HTTP. Because a local computer certificate must be used with IPSec, you must submit an advanced request to the CA to specify this.

When you are using a Local Certificate Authority, the CA must be set up to allow IPSEC certificates. The instructions in this article assume that you have permitted Client Authentication, IPSEC, and IPSEC (Offline Request). If you are missing these during the request, you must correctly set up your CA before you continue.

back to the top

Install a Local Computer Certificate from a Stand-Alone Windows Certificate Authority

1. The request is a Web address that contains the IP address or name of the Certificate server, with "/certsrv" appended. In your Web browser, type the following Web address
   

http://IP address of CA/certsrv

where IP address of CA is the IP address or name of the Certificate server.

1. On the initial Welcome page of the Certificate server, click Request a certificate, and then click Next.
2. On the Choose Request Type page, click Advanced request, and then click Next.
3. On the Advanced Certificate Requests page, click Submit a certificate request to this CA using a form, and then click Next.
4. On the Advanced Certificate Request page, type your name and your e-mail name in the appropriate boxes.
5. Under Type of certificate Needed, click Client Authentication Certificate or IPSec Certificate.
   

If you click IPSec Certificate, this certificate will only be used for IPSec.

1. Under Key Options, click Microsoft Base Cryptographic Provider v1.0, click Signature for Key Usage, and then click 1024 for Key Size.
2. Leave the Create new key set option selected (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store.
3. Leave all the other options set to the default value unless you have to make a specific change.
4. Click Submit.
   

If the Certificate Authority is configured to issue certificates automatically, the Certificate Issued page appears.

1. Click Install this Certificate.
   

The Certificate Installed page appears with the following message: "Your new certificate has been successfully installed."

1. If the Certificate Authority is not configured to issue certificates automatically, a Certificate Pending page appears and requests that you wait for an administrator to issue the certificate that was requested.
   

To retrieve a certificate that an administrator has issued, return to the Web address, and then click Check on a pending certificate. Click the requested certificate, and then click Next.

If the certificate is still pending, the Certificate Pending page appears. If the certificate has been issued, the Install This Certificate page appears.

back to the top

Install a Local Computer Certificate from an Enterprise Windows Certificate Authority

1. The request is a Web address that contains the IP address or name of the Certificate server, with /certsrv appended. In your Web browser, type the following Web address
   

http://IP address of CA/certsrv

where IP address of CA is the IP address or name of the Certificate server.

1. If the computer that you are using is not logged on to the domain already, you are prompted to supply domain credentials.
2. On the initial Welcome page of the Certificate server, click Request a Certificate, and then click Next.
3. On the Choose Request Type page, click Advanced Request, and then click Next.
4. On the Advanced Certificate Requests page, click Submit a certificate request to this CA using a form, and then click Next.
5. On the Advanced Certificate Request page, click IPSEC (Offline Request) for the Certificate Template option. Restart Certificate services.
6. Open the Certificate Authority snap-in, right-click Policy Settings, click New, click Certificate to Issue, select IPSec (Offline Request), and then click OK.
   

Note By default, this template is not listed on an Enterprise CA.

1. Under Key Options, click Microsoft Base Cryptographic Provider v1.0, click Signature for Key Usage and then click 1024 for Key Size.
2. Leave the Create new key set option selected (you can clear the Container Name check box unless you want to specify a name), and then click Use local machine store.
3. Leave all the other options set to the default value unless you have to make a specific change.
4. Click Submit.
   

The Certificate Issued page appears.

1. Click Install this Certificate. The Certificate Installed page appears with the following message:
   

Your new certificate has been successfully installed.

back to the top

Verify That the Local Computer Certificate Has Been Installed

After the certificate is installed, verify the location of the certificate by using the Certificate (Local Computer) snap-in in the Microsoft Management Console (MMC). Your certificate appears under Personal.

If the certificate that you have installed does not appear here, the certificate was installed as a user certificate request, or you did not click Use local machine store in the advanced request.

back to the top