Machine Certificate via Web Enrollment from a Windows Server 2003
be times when a machine that is not a domain member needs to obtain a machine certificate
from a Microsoft enterprise CA. While domain member computers can use Group
Policy-based autoenrollment and the Certificates stand-alone snap-in to obtain
a machine certificate, non-domain members need to use the Web enrollment site.
Please see ISA Server 2000 VPN
Deployment Kit article Assigning Certificates to
Domain Members via Autoenrollment in a Windows Server 2003 Active Directory
Domain for more information on how to assign machine
certificates to domain members via autoenrollment.
This ISA Server 2000 VPN Deployment Kit article
discusses the following procedures:
- Request and install an Administrator certificate from the
Web enrollment site
- Copy the enterprise CA’s
self-signed CA certificate into the machine’s list of Trusted Root Certification Authorities
procedures will allow you to obtain a machine certificate from an Enterprise
Certification Authority (CA).
Requesting a Machine Certificate
from the Enterprise CA Web Enrollment Site
following steps to obtain a machine certificate from an enterprise CA Web
- At the machine for which you
wish to obtain a machine certificate, open Internet Explorer and type in the URL http://<ip_address>/certsrv
where <ip_address> and <fqdn> represent the IP
address and the Fully Qualified Domain Name of the certificate authority, respectively.
In this example we assume the client machine is on the
internal network, behind the ISA firewall/VPN server. External network clients
have the option to obtain certificates from an enterprise CA if that CA is
published. Please refer to ISA Server
2000 VPN Deployment Kit document Publishing a Windows Server 2003 Certification
Authority Web Enrollment Site and Certificate Revocation List
for information on how to publish a Microsoft Certificate Authority.
Press ENTER after
typing in the URL. Enter the User Name,
Password and Domain of a domain administrator and click OK (figure 1).
- Click the Request a Certificate link on the Welcome page of the Microsoft
Certificate Services Web enrollment site (figure 2).
- Click the Advanced certificate request link on the Request a Certificate page (figure 3)
- Click the Create and submit a request to this CA link on the Advanced Certificate Request page
- On the Advanced Certificate Request page (figure 5), click the
down-arrow for the Certificate
Template drop down list and select the Administrator option. Place a checkmark in the Store certificate in the local
computer certificate store checkbox.
You can leave all the other options at the default settings.
Scroll down to the bottom of the page and click the Submit button.
You must be logged on with local administrator rights to add certificates to
the local machine certificate store
- Click Yes on the Potential
Scripting Violation dialog box (figure 6). This dialog box informs you
the Web site is requesting a new certificate on your behalf and that you
should trust the Web site before continuing.
- Click the Install this certificate link on the Certificate Issued page (figure 7).
- Click Yes on the Potential
Scripting Violation dialog box (figure 8). This dialog box warns you
the Web site is adding one or more certificates to the local machine
- The Certificate Installed page confirms that the certificate has
been successfully installed (figure 9). Close Internet Explorer.
Copying the Enterprise CA’s
Self-Signed Certificate into the Trusted Root Certification Authorities
One of the
advantages of using an enterprise CA is that domain members automatically have
the enterprise CA’s self-signed certificate added to their Trusted Root Certification Authority certificate stores. When a
non-domain member requests a machine certificate to the enterprise CA via the
Web enrollment site, the machine certificate is added to the machine’s Personal certificate store. However,
the enterprise CA’s self-signed certificate is not automatically added to the Trusted Root Certification Authorities
store. You will need to do this manually.
following steps to copy the enterprise CA’s self-signed certificate into the
VPN client’s Trusted Root Certification Authorities Certificate store:
- At the VPN client machine that
received the machine certificate, click Start and then click Run.
Type mmc in the Open text box and click OK.
- In the Console1 window, click the Console menu and click the Add/Remove Snap-in command (figure 10).
- In the Add/Remove Snap-in dialog box, click the Add button (figure 11).
- In the Add Standalone Snap-in dialog box, select the Certificates snap-in from the list
of Available Standalone Snap-ins
and then click the Add button
- On the Certificates snap-in page, select the Computer account option and click Next (figure 13).
- On the Select Computer page, select the Local Computer option and click Next (figure 14).
- On the Add Standalone Snap-in dialog box, click the Close button (figure 15).
- On the Add/Remove Snap-in dialog box, click the OK button (figure 16).
- In the Console1 window, expand the Personal node in the left pane of the console and then click
on the Personal\Certificates
node. You will see the computer certificate issued to this machine in the
right pane of the console (figure 17). Double click on the certificate to
open the certificate’s Properties
- Click on the Certificate Path tab in the Certificate dialog box. Notice the
red “x” on the root certificate. This indicates that this machine does not
trust the CA that issued the machine certificate. Click on the CA
certificate that has the red “x” on it. This makes the View Certificate button available.
Click on the View Certificate button
- Another Certificate dialog box opens. This dialog box provides details
of the Certificate Authority’s certificate. Click on the Details tab. You can export this
CA certificate to a file. Click on the Copy to File button (figure 19).
- Read the information on the Welcome to the Certificate Export
Wizard page and click Next (figure
- Select both the Cryptographic Message Syntax Standard
– PKCS #7 Certificates (.P7B) and Include
all certificates in the certification path if possible options on the Export File Format page. Click Next (figure 21).
- Type in a file name and path in
the File name text box on the File to Export page (figure 22).
You do not need to type in a file extension. The file extension is added
for you automatically. Click Next.
- Review the settings on the Completing the Certificate Export
Wizard page and click Finish (figure
- Click OK on the Certificate
Export Wizard dialog box that informs you the The export was successful (figure 24).
- Click OK in the Certificate dialog
box for the CA certificate (figure 25).
- Click OK in the Certificate
dialog box for the machine certificate (figure 26).
- Expand the Trusted Root Certification Authorities node in the left pane
of the console and right click on the Trusted
Root Certification Authorities\Certificates node. Point to All Tasks and click on Import (figure 27).
- Read the information on the Welcome to the Certificate Import
Wizard page then click Next
- Use the Browse button on the File
to Import page to locate the CA certificate you saved to the local
hard disk. The name and path to the certificate will appear in the File name text box. Click Next (figure 29).
- Confirm that the Place all certificates in the
following store option is selected and that it says Trusted Root Certification Authorities
in the Certificate store text
box on the Certificate Store
page (figure 30). Click Next.
- Confirm the settings in the Completing the Certificate Import
Wizard dialog box, then click Next
- Click OK on the Certificate
Import Wizard dialog box that informs you that The import was successful (figure 32).
- Select the Trusted Root Certificate Authorities\Certificates node in the
left pane of the console and press the F5 key on the keyboard to refresh the view. You will now find
the CA’s certificate listed in the right pane.
- Click on the Personal\Certificates node in the left
pane of the console and then double click on the machine certificate that
appears in the right pane. Click on the Certification Path tab in the Certificate dialog box. The red “x” is removed from the CA’s
entry in the Certification path
because the CA is now trusted.
client machine now has a machine certificate that will enable it to establish
an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server. Note that
the ISA firewall/VPN server must also have a machine certificate from the same
enterprise CA or another CA that is trusted by the VPN client. For most small to
medium sized businesses, the same CA will assign certificates to the VPN
clients and VPN server.