Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA

 

There may be times when a machine that is not a domain member needs to obtain a machine certificate from a Microsoft enterprise CA. While domain member computers can use Group Policy-based autoenrollment and the Certificates stand-alone snap-in to obtain a machine certificate, non-domain members need to use the Web enrollment site.

 

*       Note:
Please see ISA Server 2000 VPN Deployment Kit article Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain for more information on how to assign machine certificates to domain members via autoenrollment.

 

This ISA Server 2000 VPN Deployment Kit article discusses the following procedures:

 

  • Request and install an Administrator certificate from the Web enrollment site
  • Copy the enterprise CA’s self-signed CA certificate into the machine’s list of Trusted Root Certification Authorities

 

These procedures will allow you to obtain a machine certificate from an Enterprise Certification Authority (CA).

 

Requesting a Machine Certificate from the Enterprise CA Web Enrollment Site

 

Perform the following steps to obtain a machine certificate from an enterprise CA Web enrollment site:

 

  1. At the machine for which you wish to obtain a machine certificate, open Internet Explorer and type in the URL http://<ip_address>/certsrv or http://<fqdn>/certsrv, where <ip_address> and <fqdn> represent the IP address and the Fully Qualified Domain Name of the certificate authority, respectively.

 

In this example we assume the client machine is on the internal network, behind the ISA firewall/VPN server. External network clients have the option to obtain certificates from an enterprise CA if that CA is published. Please refer to ISA Server 2000 VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for information on how to publish a Microsoft Certificate Authority.

 

Press ENTER after typing in the URL. Enter the User Name, Password and Domain of a domain administrator and click OK (figure 1).

 

Figure 1 (fig100)

 

  1. Click the Request a Certificate link on the Welcome page of the Microsoft Certificate Services Web enrollment site (figure 2).

 

Figure 2 (fig101)

 

  1. Click the Advanced certificate request link on the Request a Certificate  page (figure 3)

 

Figure 3 (fig102)

 

  1. Click the Create and submit a request to this CA link on the Advanced Certificate Request page (figure 4)

 

Figure 4 (fig103)

 

  1. On the Advanced Certificate Request page (figure 5), click the down-arrow for the Certificate Template drop down list and select the Administrator option. Place a checkmark in the Store certificate in the local computer certificate store checkbox.

 

You can leave all the other options at the default settings. Scroll down to the bottom of the page and click the Submit button.

 

*       Note:
You must be logged on with local administrator rights to add certificates to the local machine certificate store

 

Figure 5 (fig104)

 

  1. Click Yes on the Potential Scripting Violation dialog box (figure 6). This dialog box informs you the Web site is requesting a new certificate on your behalf and that you should trust the Web site before continuing.

 

Figure 6 (fig105)

 

  1. Click the Install this certificate link on the Certificate Issued page (figure 7).

 

Figure 7 (fig106)

 

  1. Click Yes on the Potential Scripting Violation dialog box (figure 8). This dialog box warns you the Web site is adding one or more certificates to the local machine store.

 

Figure 8 (fig107)

 

  1. The Certificate Installed page confirms that the certificate has been successfully installed (figure 9). Close Internet Explorer.

 

Figure 9 (fig108)

 

 

Copying the Enterprise CA’s Self-Signed Certificate into the Trusted Root Certification Authorities Certificate Store

 

One of the advantages of using an enterprise CA is that domain members automatically have the enterprise CA’s self-signed certificate added to their Trusted Root Certification Authority certificate stores. When a non-domain member requests a machine certificate to the enterprise CA via the Web enrollment site, the machine certificate is added to the machine’s Personal certificate store. However, the enterprise CA’s self-signed certificate is not automatically added to the Trusted Root Certification Authorities store. You will need to do this manually.

 

Perform the following steps to copy the enterprise CA’s self-signed certificate into the VPN client’s Trusted Root Certification Authorities Certificate store:

 

  1. At the VPN client machine that received the machine certificate, click Start and then click Run. Type mmc in the Open text box and click OK.
  2. In the Console1 window, click the Console menu and click the Add/Remove Snap-in command (figure 10).

 

Figure 10 (fig109)

 

  1. In the Add/Remove Snap-in dialog box, click the Add button (figure 11).

 

Figure 11 (fig110)

 

  1. In the Add Standalone Snap-in dialog box, select the Certificates snap-in from the list of Available Standalone Snap-ins and then click the Add button (figure 12).

 

Figure 12 (fig111)

 

  1. On the Certificates snap-in page, select the Computer account option and click Next (figure 13).

 

Figure 13 (fig112)

 

  1. On the Select Computer page, select the Local Computer option and click Next (figure 14).

 

Figure 14 (fig113)

 

  1. On the Add Standalone Snap-in dialog box, click the Close button (figure 15).

 

Figure 15 (fig114)

 

  1. On the Add/Remove Snap-in dialog box, click the OK button (figure 16).

 

Figure 16 (fig115)

 

  1. In the Console1 window, expand the Personal node in the left pane of the console and then click on the Personal\Certificates node. You will see the computer certificate issued to this machine in the right pane of the console (figure 17). Double click on the certificate to open the certificate’s Properties dialog box.

 

Figure 17 (fig116)

 

  1. Click on the Certificate Path tab in the Certificate dialog box. Notice the red “x” on the root certificate. This indicates that this machine does not trust the CA that issued the machine certificate. Click on the CA certificate that has the red “x” on it. This makes the View Certificate button available. Click on the View Certificate button (figure 18).

 

Figure 18 (fig117)

 

  1. Another Certificate dialog box opens. This dialog box provides details of the Certificate Authority’s certificate. Click on the Details tab. You can export this CA certificate to a file. Click on the Copy to File button (figure 19).

 

Figure 19 (fig118)

 

  1. Read the information on the Welcome to the Certificate Export Wizard page and click Next (figure 20).

 

Figure 20 (fig119)

 

  1. Select both the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) and Include all certificates in the certification path if possible options on the Export File Format page. Click Next (figure 21).

 

Figure 21 (fig120)

 

  1. Type in a file name and path in the File name text box on the File to Export page (figure 22). You do not need to type in a file extension. The file extension is added for you automatically. Click Next.

 

Figure 22 (fig121)

 

  1. Review the settings on the Completing the Certificate Export Wizard page and click Finish (figure 23).

 

Figure 23 (fig122)

 

  1. Click OK on the Certificate Export Wizard dialog box that informs you the The export was successful (figure 24).

 

Figure 24 (fig123)

 

  1. Click OK in the Certificate dialog box for the CA certificate (figure 25).

 

Figure 25 (fig124)

 

  1. Click OK in the Certificate dialog box for the machine certificate (figure 26).

 

Figure 26 (fig125)

 

  1. Expand the Trusted Root Certification Authorities node in the left pane of the console and right click on the Trusted Root Certification Authorities\Certificates node. Point to All Tasks and click on Import (figure 27).

 

Figure 27 (fig126)

 

  1. Read the information on the Welcome to the Certificate Import Wizard page then click Next (figure 28).

 

Figure 28 (fig127)

 

  1. Use the Browse button on the File to Import page to locate the CA certificate you saved to the local hard disk. The name and path to the certificate will appear in the File name text box. Click Next (figure 29).

 

Figure 29 (fig128)

 

  1. Confirm that the Place all certificates in the following store option is selected and that it says Trusted Root Certification Authorities in the Certificate store text box on the Certificate Store page (figure 30). Click Next.

 

Figure 30 (fig129)

 

  1. Confirm the settings in the Completing the Certificate Import Wizard dialog box, then click Next (figure 31).

 

Figure 31 (fig130)

 

  1. Click OK on the Certificate Import Wizard dialog box that informs you that The import was successful (figure 32).

 

Figure 32 (fig131)

 

  1. Select the Trusted Root Certificate Authorities\Certificates node in the left pane of the console and press the F5 key on the keyboard to refresh the view. You will now find the CA’s certificate listed in the right pane.

 

Figure 33 (fig132)

 

  1. Click on the Personal\Certificates node in the left pane of the console and then double click on the machine certificate that appears in the right pane. Click on the Certification Path tab in the Certificate dialog box. The red “x” is removed from the CA’s entry in the Certification path because the CA is now trusted.

 

Figure 34 (fig133)

 

This VPN client machine now has a machine certificate that will enable it to establish an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server. Note that the ISA firewall/VPN server must also have a machine certificate from the same enterprise CA or another CA that is trusted by the VPN client. For most small to medium sized businesses, the same CA will assign certificates to the VPN clients and VPN server.