• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

obtaining machine certifcate scenario

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> obtaining machine certifcate scenario Page: [1]
Login
Message << Older Topic   Newer Topic >>
obtaining machine certifcate scenario - 24.Oct.2004 11:11:00 PM   
j2004

 

Posts: 3
Joined: 24.Oct.2004
Status: offline
hello,

i need to able to obtain a machine certificate for a non-domiain member that is "offsite" (so i can't just bring the device onto the network as usual an use normal web enrollment method)

also. i dont want to publish cert services to the internet for the client.

essentially i want to burn the certifcate/key and ca chain cert to a cd and have this sent to the offsite vpn client and talk them though the configuration.

ms intructions are vague for doing this.

cheers,

j
Post #: 1
RE: obtaining machine certifcate scenario - 25.Oct.2004 1:02:00 AM   
macrus

 

Posts: 58
Joined: 8.Feb.2002
From: Poland
Status: offline
Hi j.

So you don't want to publish CA's web enrollment interface ? Consider it again - it is not so insecure - user has to provide credentials and you can use https, you can set it up to allow access only for specified period time until everyone gets necessary certificate or open it on demand only...
It's much easier to do it with access to the interface...

Ok, but if you have already decided not to publish, then you need CA on Windows2000 , not 2003. Why ? Because CAs on Windows2003 do not allow to mark certificate's keys as exportable, so the certificate you create cannot be then imported to external machine. Maybe someone here knows how to force Win2003 to do it, however I haven't yet find it out [Frown]

If you have CA on windows 2000 then it's bit easier - you can enroll certificate for "Router (offline request)" (first you have to give yourself permissions to do it...), marking keys as exportable and checking the box for storing the certificate in local machine's store - then you install this certificate on your machine (local computer store) and finally export it to PFX file with private keys. Such file can be then distributed on CDs as you want. But you'll have much more work as you have to enroll certificate for each user, install, export, put on CD etc...

Distribution of CA's certificate (or chain) is easy - just downloat the file from CA's web enrollment. Only inconvenience is that user has to import the certificate into local computer's store - if he chooses just to "install" it, then it goes to user store and it does not work. It may be useful to distribute pre-defined mmc console just for it.

cheers

(in reply to j2004)
Post #: 2
RE: obtaining machine certifcate scenario - 25.Oct.2004 2:16:00 AM   
j2004

 

Posts: 3
Joined: 24.Oct.2004
Status: offline
Thanks Maciej for your reply,

has cleared up some grey areas for me.

if i publish it, do i have edit the cert services for crl updating or can leave as defaults, i noticed one of the vpn kit scenario's mentioned making changes to cert services when published to the internet.

ssl is no problem as deployed already.

thanks, again

j

(in reply to j2004)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> obtaining machine certifcate scenario Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts