HOW TO: Install a Certificate for Use with IP Security

Article translations Article translations
Article ID: 253498 - View products that this article applies to.
This article was previously published under Q253498
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Expand all | Collapse all

On This Page

SUMMARY

When IP Security (IPSec) is configured to use a certification authority (CA) for mutual authentication, you must obtain a local computer certificate. You can obtain this certificate from a third-party CA or you can install Certificate Services in Windows to create your own CA. This article describes how to install a local computer certificate for use with IPSec from a stand-alone Windows CA.

The request for the local computer certificate is requested by using HTTP. Because a local computer certificate must be used with IPSec, you must submit an advanced request to the CA to specify this.

Installing a local Computer Certificate from a Stand-Alone Windows Certificate Authority

  1. The request is a Web address that contains the IP address or name of the Certificate server, with "/certsrv" appended. In your Web browser, type the following Web address
    http://IP address of CA/certsrv
    Where IP address of CA is the IP address or name of the Certificate server.

  2. In the initial Welcome screen of the Certificate server, click Request a certificate, and then click Next.
  3. In the "Choose Request Type" screen, click Advanced request, and then click Next.
  4. In the "Advanced Certificate Requests" screen, click Submit a certificate request to this CA using a form, and then click Next.
  5. In the "Advanced Certificate Request" screen, type your name and your e-mail name in the appropriate boxes.
  6. Under Intended Purpose, select Client Authentication Certificate or IPSec Certificate. If you choose IPSec Certificate, then this certificate will only be used for IPSec.
  7. Under Key Options, click Microsoft Base Cryptographic Provider v1.0, Signature for Key Usage and 1024 for Key Size.
  8. Leave the Create new key set option enabled (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store.
  9. Leave all the other options set to the default value unless you need to make a specific change.
  10. Click Submit.
  11. If the Certificate Authority is configured to issue certificates automatically, the "Certificate Issued" screen should appear. Click Install this Certificate. The "Certificate Installed" screen should appear with the message "Your new certificate has been successfully installed."
  12. If the Certificate Authority is not configured to issue certificates automatically a "Certificate Pending" screen appears, requesting that you wait for an administrator to issue the certificate that was requested. To retrieve a certificate that an administrator has issued, return to the Web address and click Check on a pending certificate. Click the requested certificate, and then click Next. If the certificate is still pending, the "Certificate Pending" screen appears. If the certificate has been issued, the "Install this Certificate" screen appears.

Installing a Local Computer Certificate from an Enterprise Windows 2000 Certificate Authority

  1. The request is a Web address that contains the IP address or name of the Certificate server, with /certsrv appended. In your Web browser, type the following Web address: http://IP address of CA/certsrv

    Where IP address of CA is the IP address or name of the Certificate server.
  2. If the machine you are using is not logged onto the domain already, a prompt to supply domain credentials appears.
  3. In the initial Welcome screen of the Certificate server, click Request a Certificate, and then click Next.
  4. In the Choose Request Type screen, click Advanced Request, and then click Next.
  5. In the Advanced Certificate Requests screen, click Submit a certificate request to this CA using a form, and then click Next.
  6. In the Advanced Certificate Request screen for the Certificate Template option, select Administrator.
  7. Under Key Options, click Microsoft Base Cryptographic Provider v1.0, Signature for Key Usage and 1024 for Key Size.
  8. Leave the Create new key set option enabled (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store.
  9. Leave all the other options set to the default value unless you need to make a specific change.
  10. Click Submit.
  11. The Certificate Issued screen should appear. Click Install this Certificate. The Certificate Installed screen should appear with the message:
    Your new certificate has been successfully Installed

Verifying That the Local Computer Certificate Has Been Installed

After the certificate is installed, verify the location of the certificate by using the Certificate (Local Computer) snap-in in Microsoft Management Console (MMC). Your certificate should appear under Personal.

If the certificate you have installed does not appear here, the certificate was installed as a "User certificate request," or you did not click Use local machine store within the advanced request.



REFERENCES

For information about installing Certificate Services in Windows, see the following article in the Microsoft Knowledge Base:
231881 How to Install/Uninstall a Public Key Certificate Authority



Properties

Article ID: 253498 - Last Review: October 12, 2007 - Revision: 4.6
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbenv kbhowtomaster kbipsec KB253498

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com