Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA

 

There may be times when a machine that is not a domain member needs to obtain a machine certificate from a Microsoft stand-alone CA. While domain members can use autoenrollment and the Certificates stand-alone snap-in to obtain a machine certificate from an enterprise CA, both domain and non-domain members need to use the Web enrollment site to obtain a machine certificate from a stand-alone CA.

 

*       Note:
Please see ISA Server 2000 VPN Deployment Kit article Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain for detailed information on how to assign machine certificates to domain members via autoenrollment and the Certificates MMC
.

 

This ISA Server 2000 VPN Deployment Kit article describes procedures that allow you to obtain a machine certificate that can be used to establish L2TP/IPSec VPN connections:

 

  • Request and install an Administrator certificate from the Web enrollment site
  • Copy the stand-alone CA’s self-signed CA certificate into the machine’s list of Trusted Root Certification Authorities

 

*       Note:
If a domain administrator installed the stand-alone CA on a domain member server, then the CA certificate of the stand-alone CA will be automatically entered into the Trusted Root Certification Authorities store for all domain users and computers. You will not need to copy the stand-alone CA’s self-signed CA certificate into the machine’s list of Trusted Root Certification Authorities under these circumstances. However, you will always need to copy the CA certificate into the Trusted Root Certification Authorities certificate store for non-domain members.

 

Requesting a Machine Certificate from the Stand-alone CA Web Enrollment Site

 

Perform the following steps to obtain a machine certificate from a stand-alone CA Web enrollment site:

 

*       Note:
The procedures listed below can be used at the ISA Server firewall/VPN server if the firewall is not a member of the internal network domain. You should use the Certificates MMC stand-alone snap-in or autoenrollment if the ISA Server firewall/VPN server is a member of the internal network domain.

 

  1. At the machine for which you wish to obtain a machine certificate, open Internet Explorer and type in the URL http://<ip_address>/certsrv or http://<fqdn>/certsrv, where <ip_address> and <fqdn> represent the IP address and the Fully Qualified Domain Name of the certificate authority, respectively. In this example we assume that that the machine is on the internal network, behind the ISA Server firewall/VPN server. External network clients have the option to obtain certificates from an enterprise CA if that CA is published.

 

Please refer to ISA Server 2000 VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for information on how to publish a Microsoft Certificate Authority. Press ENTER after typing in the URL.

 

Enter the User Name, Password and Domain  of a domain administrator and click OK (figure 1).

 

Figure 1 (fig100)

 

  1. Click the Request a Certificate link on the Welcome page of the Microsoft Certificate Services Web enrollment site (figure 2).

 

Figure 2 (fig101)

 

  1. Click the Advanced certificate request link on the Request a Certificate  page (figure 3)

 

Figure 3 (fig102)

 

  1. Click the Create and submit a request to this CA link on the Advanced Certificate Request page (figure 4)

 

Figure 4 (fig103)

 

  1. On the Advanced Certificate Request page (figure 5), Enter the identifying information into the text boxes. You must enter this identifying information when requesting a certificate from the stand-alone CA because the stand-alone CA does not have knowledge about the requester. Select the IPSec Certificate option in the Type of Certificate Needed drop down list (figure 5A).

 

Place a checkmark in the Store certificate in the local computer certificate store checkbox. You can leave all the other options at the default settings. Scroll down to the bottom of the page and click the Submit button.

 

*       Note:
You must be logged on with local administrator rights to add certificates to the local machine certificate store.

 

Figure 5 (fig104)

 

Figure 5A (fig104A)

 

  1. Click Yes on the Potential Scripting Violation dialog box (figure 6). This dialog box informs you the Web site is requesting a new certificate on your behalf and that you should trust the Web site before continuing.

 

Figure 6 (fig105)

 

  1. You are presented with the Certificate Pending page (figure 7). The default setting on a stand-alone CA is to require administrator intervention before issuing a certificate. The reason for this is that the CA has no method of confirming the identity and the validity of the information provided by the certificate requestor.

 

At this point you must go to the stand-alone CA and grant the certificate request. Please refer to ISA Server 2000 VPN Deployment Kit document Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA for information on installing and configuring a Windows Server 2003 stand-alone CA.  Approve the certificate then proceed to the next step.

 

Figure 7 (fig106)

 

  1. Click the View the status of a pending certificate request on the Welcome page of the certificate server Web enrollment site (figure 8).

 

Figure 8 (fig107)

 

  1. Select the link to your certificate on the View the Status of a Pending Certificate Request page (figure 9). In this example, the link says IPSec Certificate (Sunday June 15 2003 10:35:43 PM).

 

Figure 9 (fig108)

 

  1. Click the Install this certificate link on the Certificate Issued page (figure 10).

 

Figure 10 (fig209)

 

  1. Click Yes in the Potential Scripting Violation dialog box that informs that the Web site is adding one more certificates to the computer (figure 11).

 

Figure 11 (fig210)

 

  1. The Certificate Installed page appears confirming that the certificate was successfully installed (figure 12).

 

Figure 12 (fig211)

 

 

Copying the Stand-alone CA’s Self-Signed Certificate into the Trusted Root Certification Authorities Certificate Store

 

When either a domain or a non-domain member requests a machine certificate from a stand-alone CA, the machine certificate is added to the machine’s Personal certificate store. However, the standalone CA’s self-signed certificate is not automatically added to the Trusted Root Certification Authorities store. You will need to take care of this step manually.

 

*       Note:
If a domain administrator installed the stand-alone CA on a domain member server, then the CA certificate of the stand-alone CA will be automatically entered into the Trusted Root Certification Authorities store for all domain users and computers. You not need to copy the stand-alone CA’s self-signed CA certificate into the machine list of Trusted Root Certification Authorities under these circumstances. However, you will always need to copy the CA’s certificate into the machines Trusted Root Certification Authorities certificate store for non-domain members.

 

*       Note:
The following procedure is not required on Windows 95, Windows 98, Windows 98SE, Windows ME and Windows NT 4.0 Workstation computers that use the Microsoft L2TP/IPSec VPN client. The following procedure applies only to Windows 2000, Windows XP and Windows Server 2003 machines that require a machine certificate to create an L2TP/IPSec VPN link to the ISA Server firewall/VPN server.

 

Perform the following steps to copy the enterprise CA’s self-signed certificate into the VPN client’s Trusted Root Certification Authorities Certificate store:

 

  1. At the VPN client machine that received the certificate, click Start and then click Run. Type mmc in the Open text box and click OK.
  2. In the Console1 window, click the Console menu and click the Add/Remove Snap-in command (figure 10).

 

Figure 10 (fig109)

 

  1. In the Add/Remove Snap-in dialog box, click the Add button (figure 11).

 

Figure 11 (fig110)

 

  1. In the Add Standalone Snap-in dialog box, select the Certificates snap-in from the list of Available Standalone Snap-ins and then click the Add button (figure 12).

 

Figure 12 (fig111)

 

  1. On the Certificates snap-in page, select the Computer account option and click Next (figure 13).

 

Figure 13 (fig112)

 

  1. On the Select Computer page, select the Local Computer option and click Next (figure 14).

 

Figure 14 (fig113)

 

  1. On the Add Standalone Snap-in dialog box, click the Close button (figure 15).

 

Figure 15 (fig114)

 

  1. On the Add/Remove Snap-in dialog box, click the OK button (figure 16).

 

Figure 16 (fig115)

 

  1. In the Console1 window, expand the Personal node in the left pane of the console and then click on the Personal\Certificates node. You will see the computer certificate issued to this machine in the right pane of the console (figure 17). Double click on the certificate to open the certificate’s Properties dialog box.

 

Figure 17 (fig116)

 

  1. Click on the Certificate Path tab in the Certificate dialog box. Notice the red “x” on the root certificate. This indicates that this machine does not trust the CA that issued the machine certificate. Click on the CA certificate that has the red “x” on it. This makes the View Certificate button available. Click on the View Certificate button (figure 18).

 

Figure 18 (fig117)

 

  1. Another Certificate dialog box opens. This dialog box provides the details of the Certificate Authority’s certificate. Click on the Details tab. You can export this certificate to a file. Click on the Copy to File button (figure 19).

 

Figure 19 (fig118)

 

  1. Read the information on the Welcome to the Certificate Export Wizard page and click Next (figure 20).

 

Figure 20 (fig119)

 

  1. Select both the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) and Include all certificates in the certification path if possible options on the Export File Format page. Click Next (figure 21).

 

Figure 21 (fig120)

 

  1. Type in a file name and path in the File name text box on the File to Export page (figure 22). You do not need to type in a file extension. The file extension is added for you automatically.

 

Figure 22 (fig121)

 

  1. Review the settings on the Completing the Certificate Export Wizard page and click Finish (figure 23).

 

Figure 23 (fig122)

 

  1. Click OK on the Certificate Export Wizard dialog box informing you that The export was successful (figure 24).

 

Figure 24 (fig123)

 

  1. Click OK in the Certificate dialog box for the CA certificate (figure 25).

 

Figure 25 (fig124)

 

  1. Click OK in the Certificate dialog box for the machine certificate (figure 26).

 

Figure 26 (fig125)

 

  1. Expand the Trusted Root Certification Authorities node in the left pane of the console and right click on the Trusted Root Certification Authorities\Certificates node. Point to All Tasks and click on Import (figure 27).

 

Figure 27 (fig126)

 

  1. Read the information on the Welcome to the Certificate Import Wizard page then click Next (figure 28).

 

Figure 28 (fig127)

 

  1. Use the Browse button on the File to Import page to locate the CA certificate you saved to the local hard disk. The name and path to the certificate will appear in the File name text box. Click Next (figure 29).

 

Figure 29 (fig128)

 

  1. Confirm that the Place all certificates in the following store option is selected and that it says Trusted Root Certification Authorities in the Certificate store text box on the Certificate Store page (figure 30). Click Next.

 

Figure 30 (fig129)

 

  1. Confirm the settings in the Completing the Certificate Import Wizard dialog box, then click Next (figure 31).

 

Figure 31 (fig130)

 

  1. Click OK on the Certificate Import Wizard dialog box informing you that The import was successful (figure 32).

 

Figure 32 (fig131)

 

  1. Select the Trusted Root Certificate Authorities\Certificates node in the left pane of the console and press the F5 key on the keyboard to refresh the view. You will now find the CA’s certificate listed in the right pane.

 

Figure 33 (fig132)

 

  1. Click on the Personal\Certificates node in the left pane of the console and then double click on the machine certificate that appears in the right pane. Click on the Certification Path tab in the Certificate dialog box. The red “x” is removed from the CA’s entry in the Certification path because the CA is now trusted.

 

Figure 34 (fig133)

 

This VPN client machine now has a machine certificate that will enable the machine to establish an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server. Note that the ISA Server firewall/VPN server must also have a machine certificate from the same enterprise CA or another CA that is trusted by the VPN client. For most small to medium sized businesses, the same CA assigns certificates to the VPN clients and servers.