|
Posted by mikee.netsec on June 9, 2005, 9:23 am
Please log in for more thread options
I am looking to setup IPSEC policies between windows machines that
require certificate authentication. This works pretty easily if you
are using a Microsoft Certificate Authority. However, I am not. I've
been trying to generate PKCS#10 requests with the certreq utility to
send to third party CA's. Currently I'm using the template below to
generate the request. Depending on various settings that I change, I
either get a "general processing error" with the IPSEC authentication
or I get a "No private key associated with machine certificate." The
certificate appears nearly identical to the one that is generated with
the Microsoft CA. Removing the MachineKeySet attribute seems to
associate a private key with the public key in the Certificates MMC,
other wise the certificate does not say that you have a private key
associated with the certificate. Either way, negotiation does not
succeed.
Microsoft's documentation on the certreq utility and attributes of the
policy file is pretty dismal. I've had to piece most of everything
together from examples in many different places. I would very much
appreciate any input any has to offer at this point.
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "CN=<fqdn of server>"
KeySpec = 1
KeyLength = 2048
KeyUsage = 0xa0
RequestType = PKCS10
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
Exportable = TRUE
MachineKeySet = FALSE
Silent = TRUE
UseExistingKeySet = FALSE
PrivateKeyArchive = FALSE
EncipherOnly = FALSE
UserProtected = FALSE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.8.2.2
[RequestAttributes]
CertificateTemplate = "IPSECIntermediateOffline"
certreq command line:
certreq -new <policy file above> <output file>
|
|
Posted by mikee.netsec on June 9, 2005, 1:47 pm
Please log in for more thread options
I believe I found my own answer (finally). Changing the key usage
parameter to 0x30 instead of 0xA0 sets the certificate usage for Key
Encipherment, Data Encipherment. This is the only piece I believe I
was missing as the initial certificates and testing appear to be
working. If you use the template below with the certreq utility
(available in the Windows Server 2003 Adminpak.msi) you should be able
generate a PKCS#10 Certificate Request for ANY CA that supports Key
Encipherment and Data Encipherment key usages.
The certreq utility can be run on Windows 2000, XP, and 2003. Since
the Windows 2003 adminpak.msi only runs on XP and Server 2003, you need
to copy the certreq.exe, certadm.dll, certcli.dll, and certutil.exe
files to a local or shared directory to run it on Windows 2000.
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "<server fqdn>"
KeySpec = 1
KeyLength = 2048
KeyUsage = 0x30
RequestType = PKCS10
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
Exportable = TRUE
MachineKeySet = FALSE
Silent = TRUE
UseExistingKeySet = FALSE
PrivateKeyArchive = FALSE
EncipherOnly = FALSE
UserProtected = FALSE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.8.2.2
[RequestAttributes]
CertificateTemplate = "IPSECIntermediateOffline"
|
|
Posted by mikee.netsec on June 15, 2005, 8:51 am
Please log in for more thread options Ok, After a ton of testing and aggravation, this does not work either.
I'll repost the question again. I'm beginning to think that
Certreq.exe is not capable of generating a good PKCS#10 offline
certificate request that will work for IPSEC authentication.
|
| Similar Threads | Posted | | Third party DC certificates | October 9, 2006, 7:43 am |
| Issuance policies in CA certificates | March 24, 2008, 1:54 pm |
| Export IPSec Policies to XML | April 25, 2006, 7:03 am |
| two CA certificates for IPSec or something... | September 17, 2005, 3:58 pm |
| two CA certificates for IPSec or something... | February 16, 2007, 1:57 pm |
| getting IPSec Certificates for VPN access for non domain members | January 5, 2007, 11:03 am |
| Certificate Templates and third party CSP | January 5, 2006, 8:11 am |
| Smartcard logon with third-party CA without MS CA | May 13, 2006, 2:01 am |
| How to close outgoing connections without using 3-rd party software? | January 31, 2006, 1:34 pm |
| Is third-party middleware required when deploying smartcards? | October 1, 2007, 12:02 pm |
|
XML Sitemap