When IP Security (IPSec) is configured to use a Certificate Authority (CA) for mutual authentication, you must obtain a local computer certificate. This article describes how to install a local computer certificate for use with IPSec from a stand-alone Windows CA.
To obtain a local computer certificate, do one of the following:
Obtain this certificate from a third-party CA.
Install Certificate Services in Windows to create your own CA.
The request for the local computer certificate is requested by using HTTP. Because a local computer certificate must be used with IPSec, you must submit an advanced request to the CA to specify this.
When you are using a Local Certificate Authority, the CA must be set up to allow IPSEC certificates. The instructions in this article assume that you have permitted Client Authentication, IPSEC, and IPSEC (Offline Request). If you are missing these during the request, you must correctly set up your CA before you continue.
Install a Local Computer Certificate from a Stand-Alone Windows Certificate Authority
The request is a Web address that contains the IP address or name of the Certificate server, with "/certsrv" appended. In your Web browser, type the following Web address
http://IP address of CA/certsrv
where IP address of CA is the IP address or name of the Certificate server.
On the initial Welcome page of the Certificate server, click Request a certificate, and then click Next.
On the Choose Request Type page, click Advanced request, and then click Next.
On the Advanced Certificate Requests page, click Submit a certificate request to this CA using a form, and then click Next.
On the Advanced Certificate Request page, type your name and your e-mail name in the appropriate boxes.
Under Type of certificate Needed, click Client Authentication Certificate or IPSec Certificate.
If you click IPSec Certificate, this certificate will only be used for IPSec.
Under Key Options, click Microsoft Base Cryptographic Provider v1.0, click Signature for Key Usage, and then click 1024 for Key Size.
Leave the Create new key set option selected (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store.
Leave all the other options set to the default value unless you have to make a specific change.
If the Certificate Authority is configured to issue certificates automatically, the Certificate Issued page appears.
Click Install this Certificate.
The Certificate Installed page appears with the following message: "Your new certificate has been successfully installed."
If the Certificate Authority is not configured to issue certificates automatically, a Certificate Pending page appears and requests that you wait for an administrator to issue the certificate that was requested.
To retrieve a certificate that an administrator has issued, return to the Web address, and then click Check on a pending certificate. Click the requested certificate, and then click Next.
If the certificate is still pending, the Certificate Pending page appears. If the certificate has been issued, the Install This Certificate page appears.
Verify That the Local Computer Certificate Has Been Installed
After the certificate is installed, verify the location of the certificate by using the Certificate (Local Computer) snap-in in the Microsoft Management Console (MMC). Your certificate appears under Personal.
If the certificate that you have installed does not appear here, the certificate was installed as a user certificate request, or you did not click Use local machine store in the advanced request.
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Web Edition, Microsoft Windows Server 2003, 64-Bit Datacenter Edition, Microsoft Windows Server 2003, Enterprise x64 Edition, Microsoft Windows Small Business Server 2003 Standard Edition, Microsoft Windows Small Business Server 2003 Premium Edition