This article was previously published under Q253498
On This Page
SUMMARY
When IP Security (IPSec) is configured to use a
certification authority (CA) for mutual authentication, you must obtain a local
computer certificate. You can obtain this certificate from a third-party CA or
you can install Certificate Services in Windows to create your own CA. This
article describes how to install a local computer certificate for use with
IPSec from a stand-alone Windows CA.
The request for the local
computer certificate is requested by using HTTP. Because a local computer
certificate must be used with IPSec, you must submit an advanced request to the
CA to specify this.
Installing a local Computer Certificate from a Stand-Alone Windows Certificate Authority
1.
The request is a Web address that contains the IP address
or name of the Certificate server, with "/certsrv" appended. In your Web
browser, type the following Web address
http://IP address of CA/certsrv
Where IP address of CA is the IP
address or name of the Certificate server.
2.
In the initial Welcome screen of the Certificate server,
click Request a certificate, and then click Next.
3.
In the "Choose Request Type" screen, click Advanced
request, and then click Next.
4.
In the "Advanced Certificate Requests" screen, click
Submit a certificate request to this CA using a form, and then
click Next.
5.
In the "Advanced Certificate Request" screen, type your
name and your e-mail name in the appropriate boxes.
6.
Under Intended Purpose, select Client Authentication Certificate or IPSec Certificate. If you choose IPSec Certificate, then this certificate will only be used for IPSec.
7.
Under Key Options, click Microsoft Base Cryptographic Provider
v1.0, Signature for Key Usage and 1024 for Key Size.
8.
Leave the Create new key set option
enabled (you can clear the Container Name check box unless you want to specify a specific name), and then
click Use local machine store.
9.
Leave all the other options set to the default value unless
you need to make a specific change.
10.
Click Submit.
11.
If the Certificate Authority is configured to issue
certificates automatically, the "Certificate Issued" screen should appear.
Click Install this Certificate. The "Certificate Installed"
screen should appear with the message "Your new certificate has been
successfully installed."
12.
If the Certificate Authority is not configured to issue
certificates automatically a "Certificate Pending" screen appears, requesting
that you wait for an administrator to issue the certificate that was requested.
To retrieve a certificate that an administrator has issued, return to the Web
address and click Check on a pending certificate. Click the
requested certificate, and then click Next. If the certificate is still pending, the "Certificate Pending"
screen appears. If the certificate has been issued, the "Install this
Certificate" screen appears.
Installing a Local Computer Certificate from an Enterprise Windows 2000 Certificate Authority
1.
The request is a Web address that contains the IP address
or name of the Certificate server, with /certsrv appended. In
your Web browser, type the following Web address:
http://IP address of
CA/certsrv
Where IP address of
CA is the IP address or name of the Certificate
server.
2.
If the machine you are using is not logged onto the domain
already, a prompt to supply domain credentials appears.
3.
In the initial Welcome screen of the Certificate server,
click Request a Certificate, and then click Next.
4.
In the Choose Request Type screen, click Advanced Request, and then click Next.
5.
In the Advanced Certificate Requests screen, click Submit a certificate request to this CA
using a form, and then click Next.
6.
In the Advanced Certificate Request screen for the Certificate Template option, select Administrator.
7.
Under Key Options, click Microsoft Base Cryptographic Provider
v1.0, Signature for Key Usage and 1024 for Key Size.
8.
Leave the Create new key set option
enabled (you can clear the Container Name check box unless you want to specify
a specific name), and then click Use local machine
store.
9.
Leave all the other options set to the default value unless
you need to make a specific change.
10.
Click Submit.
11.
The Certificate Issued screen should appear. Click Install this Certificate. The Certificate Installed screen should appear with the message:
Your new certificate has been successfully Installed
Verifying That the Local Computer Certificate Has Been Installed
After the certificate is installed, verify the location of the
certificate by using the Certificate (Local Computer) snap-in in Microsoft
Management Console (MMC). Your certificate should appear under Personal.
If the certificate you have installed does not appear
here, the certificate was installed as a "User certificate request," or you did
not click Use local machine store within the advanced
request.
Need More Help? Contact a Support professional by Email, Online or Phone.
Customer Service For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
Newsgroups Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
Help and Support
Back to the top
