Click here to get back home

Offline certificate creation fails on Windows 2003 enterprise CA without IIS
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Offline certificate creation fails on Windows 2003 enterprise CA without IIS HartleysXB 03-27-2006
Posted by HartleysXB on March 27, 2006, 7:41 pm
Please log in for more thread options
 Hi!
Apologies in advance about this going on a bit.

I've been trying on and off for ages to generate offline certificate
requests to enable L2TP / IPSEC VPN access to enable clients that can't
be auto enrolled certificates VPN access. The Enterprise root
certificate server runs on the domain controller running Windows 2003
enterprise edition and (annoyingly) policy dictates that IIS should not
be run on the DC / certificate server, which makes life alot hard

Before I do anything on the (working) live service I have created under
virtual PC a domain controller / certificate authority, RRAS server and
client PC (running XP) which is a domain member and has been
autoallocated a certificate. This system works and proves my test rig
is OK. I also have another client PC without the certificate that's
not a domain member.

On the certificate server I am
-        Creating a custom Computer certificate template
-        Issuing that template
-        Request an exportable certificate (using the command line utility
certreq)
-        Submit the request
-        Export the issued certificate from the MMC snap-in

On the client I then
-        Import the trusted root certificate
-        Import the client certificate

Everything seems to work fine except attempted VPN connections from the
non-domain member PC which fail with either "Error 792: The L2TP
connection attempt failed because security negotiation timed out" or
(more commonly) "Error 789: The L2TP connection attempt failed
because the security layer encountered a processing error during
initial negotiations with the remote computer."

Comparing the certificates on the working and non-working PCs the non
working PC appears to have a certificate without a corresponding
private key, which I guess is the problem - does this sound reasonable?

In more detail - the certificate template should allow the private key
to be exported.and the .inf file being provided as a parameter to
certreq specifes EXPORTABLE = TRUE. When I come to export the issued
certificate only the public key is apparently exported by the
Certificate Export Wizard, which should give me the option to export
the private key. Certreq - retrieve hasn't helped either - does anyone
have any bright ideas?

Thanks alot

Kevin


Similar ThreadsPosted
RPC Security Service fails to start on Windows 2003 Server July 12, 2007, 6:11 am
Windows 2000 Domain, Windows 2003 Enterprise CA July 15, 2005, 2:07 pm
Connection to a service under Windows 2003 enterprise October 19, 2006, 6:06 am
Is it possible to remove an Enterprise CA from a Windows 2003 R2 domain? July 20, 2008, 1:08 am
Windows 2003 enterprise CA issues - RPC server is unavailable. February 12, 2008, 3:27 am
Issuing Version 2 templates with Web Enrollment pages (Windows Server 2003 Enterprise) October 14, 2005, 11:58 am
Offline CA Root certificate invisble in AD March 21, 2007, 3:48 pm
Certificate Authority service fails to start due to corrupt log fi April 22, 2008, 10:00 pm
Object Creation August 2, 2007, 9:27 am
save files from MAC to a windows share fails April 11, 2008, 3:46 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap