Obtaining a
Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA
There may
be times when a machine that is not a domain member needs to obtain a machine
certificate from a Microsoft stand-alone CA. While domain members can use autoenrollment
and the Certificates stand-alone snap-in to obtain a machine certificate from
an enterprise CA, both domain and non-domain members need to use the Web
enrollment site to obtain a machine certificate from a stand-alone CA.
Note:
Please see ISA Server 2000 VPN
Deployment Kit article Assigning Certificates to
Domain Members via Autoenrollment in a Windows Server 2003 Active Directory
Domain for detailed information on how to assign machine
certificates to domain members via autoenrollment and the Certificates MMC.
This ISA Server 2000 VPN Deployment Kit article
describes procedures that allow you to obtain a machine certificate that can be
used to establish L2TP/IPSec VPN connections:
- Request and install an Administrator certificate from the
Web enrollment site
- Copy the stand-alone CA’s
self-signed CA certificate into the machine’s list of Trusted Root Certification Authorities
Note:
If a domain administrator installed the
stand-alone CA on a domain member server, then the CA certificate of the
stand-alone CA will be automatically entered into the Trusted Root Certification Authorities store for all domain users
and computers. You will not need to copy the stand-alone CA’s self-signed CA certificate
into the machine’s list of Trusted Root
Certification Authorities under these circumstances. However, you will
always need to copy the CA certificate into the Trusted Root Certification
Authorities certificate store for non-domain members.
Requesting a Machine Certificate
from the Stand-alone CA Web Enrollment Site
Perform the
following steps to obtain a machine certificate from a stand-alone CA Web
enrollment site:
Note:
The procedures listed below can be used at the ISA Server firewall/VPN server
if the firewall is not a member of the internal network domain. You should use
the Certificates MMC stand-alone snap-in or autoenrollment if the ISA Server
firewall/VPN server is a member of the internal network domain.
- At the machine for which you
wish to obtain a machine certificate, open Internet Explorer and type in the URL http://<ip_address>/certsrv
or http://<fqdn>/certsrv,
where <ip_address> and <fqdn> represent the IP
address and the Fully Qualified Domain Name of the certificate authority, respectively. In this example
we assume that that the machine is on the internal network, behind the ISA
Server firewall/VPN server. External network clients have the option to
obtain certificates from an enterprise CA if that CA is published.
Please refer to ISA
Server 2000 VPN Deployment Kit document Publishing a Windows Server
2003 Certification Authority Web Enrollment Site and Certificate Revocation
List for information on how to publish a Microsoft Certificate
Authority. Press ENTER after typing
in the URL.
Enter the User Name,
Password and Domain of a domain
administrator and click OK (figure
1).
Figure 1
(fig100)

- Click the Request a Certificate link on the Welcome page of the Microsoft
Certificate Services Web enrollment site (figure 2).
Figure 2
(fig101)

- Click the Advanced certificate request link on the Request a Certificate page (figure 3)
Figure 3
(fig102)

- Click the Create and submit a request to this CA link on the Advanced Certificate Request page
(figure 4)
Figure 4
(fig103)

- On the Advanced Certificate Request page (figure 5), Enter the
identifying information into the text boxes. You must enter this
identifying information when requesting a certificate from the stand-alone
CA because the stand-alone CA does not have knowledge about the requester.
Select the IPSec Certificate option in the Type of Certificate Needed drop down list (figure 5A).
Place a checkmark in the Store certificate in the local computer certificate store checkbox.
You can leave all the other options at the default settings. Scroll down to the
bottom of the page and click the Submit button.
Note:
You must be logged on with local administrator rights to add certificates to
the local machine certificate store.
Figure 5
(fig104)

Figure 5A
(fig104A)

- Click Yes on the Potential
Scripting Violation dialog box (figure 6). This dialog box informs you
the Web site is requesting a new certificate on your behalf and that you
should trust the Web site before continuing.
Figure 6
(fig105)

- You are presented with the Certificate Pending page (figure
7). The default setting on a stand-alone CA is to require administrator
intervention before issuing a certificate. The reason for this is that the
CA has no method of confirming the identity and the validity of the
information provided by the certificate requestor.
At this point you must go to the stand-alone CA and grant
the certificate request. Please refer to ISA
Server 2000 VPN Deployment Kit document Obtaining a Machine
Certificate via Web Enrollment from a Windows Server 2003 Standalone CA
for information on installing and configuring a Windows Server 2003 stand-alone
CA. Approve the certificate then proceed
to the next step.
Figure 7
(fig106)

- Click the View the status of a pending certificate request on the Welcome page of the certificate
server Web enrollment site (figure 8).
Figure 8
(fig107)

- Select the link to your
certificate on the View the Status
of a Pending Certificate Request page (figure 9). In this example, the
link says IPSec Certificate (Sunday
June 15 2003 10:35:43 PM).
Figure 9 (fig108)

- Click the Install this certificate link on the Certificate Issued page (figure 10).
Figure 10
(fig209)

- Click Yes in the Potential
Scripting Violation dialog box that informs that the Web site is adding
one more certificates to the computer (figure 11).
Figure 11
(fig210)

- The Certificate Installed page appears confirming that the
certificate was successfully installed (figure 12).
Figure 12
(fig211)

Copying the Stand-alone CA’s
Self-Signed Certificate into the Trusted Root Certification Authorities
Certificate Store
When either
a domain or a non-domain member requests a machine certificate from a
stand-alone CA, the machine certificate is added to the machine’s Personal certificate store. However,
the standalone CA’s self-signed certificate is not automatically added to the Trusted Root Certification Authorities
store. You will need to take care of this step manually.
Note:
If a domain administrator installed the
stand-alone CA on a domain member server, then the CA certificate of the
stand-alone CA will be automatically entered into the Trusted Root Certification Authorities store for all domain users
and computers. You not need to copy the stand-alone CA’s self-signed CA
certificate into the machine list of Trusted
Root Certification Authorities under these circumstances. However, you will
always need to copy the CA’s certificate into the machines Trusted Root
Certification Authorities certificate store for non-domain members.
Note:
The following procedure is not required on Windows 95, Windows 98, Windows
98SE, Windows ME and Windows NT 4.0 Workstation computers that use the
Microsoft L2TP/IPSec VPN client. The following procedure applies only to Windows
2000, Windows XP and Windows Server 2003 machines that require a machine
certificate to create an L2TP/IPSec VPN link to the ISA Server firewall/VPN
server.
Perform the
following steps to copy the enterprise CA’s self-signed certificate into the
VPN client’s Trusted Root Certification Authorities Certificate store:
- At the VPN client machine that
received the certificate, click Start
and then click Run. Type mmc in the Open text box and click OK.
- In the Console1 window, click the Console menu and click the Add/Remove Snap-in command (figure 10).
Figure 10
(fig109)

- In the Add/Remove Snap-in dialog box, click the Add button (figure 11).
Figure 11
(fig110)

- In the Add Standalone Snap-in dialog box, select the Certificates snap-in from the list
of Available Standalone Snap-ins
and then click the Add button
(figure 12).
Figure 12
(fig111)

- On the Certificates snap-in page, select the Computer account option and click Next (figure 13).
Figure 13
(fig112)

- On the Select Computer page, select the Local Computer option and click Next (figure 14).
Figure 14
(fig113)

- On the Add Standalone Snap-in dialog box, click the Close button (figure 15).
Figure 15
(fig114)

- On the Add/Remove Snap-in dialog box, click the OK button (figure 16).
Figure 16
(fig115)

- In the Console1 window, expand the Personal node in the left pane of the console and then click
on the Personal\Certificates
node. You will see the computer certificate issued to this machine in the
right pane of the console (figure 17). Double click on the certificate to
open the certificate’s Properties
dialog box.
Figure 17
(fig116)

- Click on the Certificate Path tab in the Certificate dialog box. Notice the
red “x” on the root certificate. This indicates that this machine does not
trust the CA that issued the machine certificate. Click on the CA
certificate that has the red “x” on it. This makes the View Certificate button available.
Click on the View Certificate button
(figure 18).
Figure 18
(fig117)

- Another Certificate dialog box opens. This dialog box provides the
details of the Certificate Authority’s certificate. Click on the Details tab. You can export this
certificate to a file. Click on the Copy
to File button (figure 19).
Figure 19
(fig118)

- Read the information on the Welcome to the Certificate Export
Wizard page and click Next (figure
20).
Figure 20
(fig119)

- Select both the Cryptographic Message Syntax Standard
– PKCS #7 Certificates (.P7B) and Include
all certificates in the certification path if possible options on the Export File Format page. Click Next (figure 21).
Figure 21
(fig120)

- Type in a file name and path in
the File name text box on the File to Export page (figure 22).
You do not need to type in a file extension. The file extension is added
for you automatically.
Figure 22
(fig121)

- Review the settings on the Completing the Certificate Export
Wizard page and click Finish (figure
23).
Figure 23
(fig122)

- Click OK on the Certificate
Export Wizard dialog box informing you that The export was successful (figure 24).
Figure 24
(fig123)

- Click OK in the Certificate dialog
box for the CA certificate (figure 25).
Figure 25
(fig124)

- Click OK in the Certificate
dialog box for the machine certificate (figure 26).
Figure 26
(fig125)

- Expand the Trusted Root Certification Authorities node in the left pane
of the console and right click on the Trusted
Root Certification Authorities\Certificates node. Point to All Tasks and click on Import (figure 27).
Figure 27
(fig126)

- Read the information on the Welcome to the Certificate Import
Wizard page then click Next
(figure 28).
Figure 28
(fig127)

- Use the Browse button on the File
to Import page to locate the CA certificate you saved to the local
hard disk. The name and path to the certificate will appear in the File name text box. Click Next (figure 29).
Figure 29
(fig128)

- Confirm that the Place all certificates in the
following store option is selected and that it says Trusted Root Certification Authorities
in the Certificate store text
box on the Certificate Store
page (figure 30). Click Next.
Figure 30
(fig129)

- Confirm the settings in the Completing the Certificate Import
Wizard dialog box, then click Next
(figure 31).
Figure 31
(fig130)

- Click OK on the Certificate
Import Wizard dialog box informing you that The import was successful (figure 32).
Figure 32
(fig131)

- Select the Trusted Root Certificate Authorities\Certificates node in the
left pane of the console and press the F5 key on the keyboard to refresh the view. You will now find
the CA’s certificate listed in the right pane.
Figure 33
(fig132)

- Click on the Personal\Certificates node in the left
pane of the console and then double click on the machine certificate that
appears in the right pane. Click on the Certification Path tab in the Certificate dialog box. The red “x” is removed from the CA’s
entry in the Certification path
because the CA is now trusted.
Figure 34
(fig133)

This VPN
client machine now has a machine certificate that will enable the machine to
establish an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server.
Note that the ISA Server firewall/VPN server must also have a machine
certificate from the same enterprise CA or another CA that is trusted by the
VPN client. For most small to medium sized businesses, the same CA assigns
certificates to the VPN clients and servers.