Click here to get back home

AD CS 2008 - issuing IPSEC certs from a stand-alone CA:
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
AD CS 2008 - issuing IPSEC certs from a stand-alone CA: Kristin Griffin 01-31-2008
Posted by Kristin Griffin on January 31, 2008, 3:17 pm
Please log in for more thread options
 Hi there,

I set up a lab with the following components:

1 AD CS 2008 stand alone CA = IPSECCA1
2 vista clients = IPSECPC1, IPSECPC2
WORKGROUP

I set up my vista clients to use an IPsec policy, and I thought that the
kind of cert I should issue from my CA was one having to do with IPSEC, or
IKE authentication.

I would issue a certificate and then turn on the policy on each client (the
policy was the same on each one), and see if I could do a ping test.

It turned out, through process of elimination that I needed to issue a
digital signing cert.

Can anyone explain that to me?

My Ip Policy on the vista clients was a very basic policy which included:

my IP filter list included ANY (source, dest etc
filter action was to negotiate security based on the default method
preference order, integrity and encryption (data will be encrypted and
verified as authentic and unmodified)
This was not for a tunnel endpoint
my authentication method was set to: use a cert from this CA: CN=IPSECCA1


Thanks for your thoughts in advance,

Kristin



Posted by Brian Komar on February 1, 2008, 11:46 am
Please log in for more thread options
 The certificates are used to authenticate the two endpoints, not to encrypt
data
Since it is for authentication, digital signing makes perfect sense
Brian

> Hi there,
>
> I set up a lab with the following components:
>
> 1 AD CS 2008 stand alone CA = IPSECCA1
> 2 vista clients = IPSECPC1, IPSECPC2
> WORKGROUP
>
> I set up my vista clients to use an IPsec policy, and I thought that the
> kind of cert I should issue from my CA was one having to do with IPSEC, or
> IKE authentication.
>
> I would issue a certificate and then turn on the policy on each client
> (the policy was the same on each one), and see if I could do a ping test.
>
> It turned out, through process of elimination that I needed to issue a
> digital signing cert.
>
> Can anyone explain that to me?
>
> My Ip Policy on the vista clients was a very basic policy which included:
>
> my IP filter list included ANY (source, dest etc
> filter action was to negotiate security based on the default method
> preference order, integrity and encryption (data will be encrypted and
> verified as authentic and unmodified)
> This was not for a tunnel endpoint
> my authentication method was set to: use a cert from this CA: CN=IPSECCA1
>
>
> Thanks for your thoughts in advance,
>
> Kristin
>


Similar ThreadsPosted
standalone CA - cannot use browser to install certs February 1, 2008, 4:15 pm
Moving Standalone CA from Windows 2000, to Windows 2008? March 31, 2008, 10:05 am
Issuing of server/client authentication certs from an Ent. CA running on W2k3 Standard Edition May 14, 2007, 2:43 am
IPSec certs vs shared secret September 23, 2006, 8:06 pm
Child domain laptops autoenrolling user certs but not computer certs May 21, 2008, 4:19 pm
Problem with Machine Certs being used as User Certs June 15, 2005, 7:06 am
Certificate templates with standalone CA October 7, 2005, 4:07 pm
Standalone CA won't generate .crt file February 20, 2006, 10:44 am
Difference between Enterprise Sub CA and Standalone Sub CA March 22, 2006, 3:00 pm
Re: Main differences between Enterprise CA and Standalone CA ? March 25, 2008, 9:00 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap