Ipsec using Digital Certificates

Hello everybody,

Why is it that I have no difficulty in finding references to
certificate-based IPsec-connections, but a waterproof step-by-step seems
nowhere to be found? I am currently using two virtual 2003 Enterprise Servers
that use Ipsec when establishing ICMP sessions. On one of them I installed a
CA. The root CA certificate is installed on both machines. However, each time
I select Use a certificate from this Certificate Authority as the
authentication method to be used in my ICMP Ipsec policy (the configured
action is to require security) the SA Negotiation fails. As soon as I switch
to pre-shared key authentication, the connection is established. It would
seem therefore that the problem has to do with acquiring the right
certificate. What am I missing? Clues, anybody?

Greetings
--
Peter Kerkhof (MCSE, MCT)

Hi Peter,

It sounds like a problem with the enhanced key usage (EKU) of the
certificate you installed. Check that it has either Client Authentication
(1.3.6.1.5.5.7.3.2) or Server Authentication (1.3.6.1.5.5.7.3.1), and that
it is found in the local computer certificate store (not the user
certificate store).

Here are a couple of references that may help:
http://support.microsoft.com/kb/253498
http://www.microsoft.com/technet/pro...o/ispstep.mspx

You can also install a certificate using the templates (certtmpl.msc) on
your CA. The Web server template has the server authentication EKU, and the
Workstation Authentication template has a client auth EKU. You will need to
make sure the machine name or user account has permission to enroll, then
you can request one of these certificates. Instead of modifying permission
on the default templates, you might want to duplicate one or the other and
create your own custom certificate. If you do this, be sure to publish the
new template first by right-clicking certificate templates in the
certsrv.msc console (new..certificate template to issue).

I hope this helps! If I can be of more assistance, please send me an email
(see below, remove the "online" to get the correct email address)

--
Greg Lindsay [MSFT]
(E-Mail Removed)

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

"Peter Kerkhof" <(E-Mail Removed)> wrote in message
news:C97B4B02-B02D-40B7-8C9F-(E-Mail Removed)...
> Hello everybody,
>
> Why is it that I have no difficulty in finding references to
> certificate-based IPsec-connections, but a waterproof step-by-step seems
> nowhere to be found? I am currently using two virtual 2003 Enterprise
> Servers
> that use Ipsec when establishing ICMP sessions. On one of them I installed
> a
> CA. The root CA certificate is installed on both machines. However, each
> time
> I select Use a certificate from this Certificate Authority as the
> authentication method to be used in my ICMP Ipsec policy (the configured
> action is to require security) the SA Negotiation fails. As soon as I
> switch
> to pre-shared key authentication, the connection is established. It would
> seem therefore that the problem has to do with acquiring the right
> certificate. What am I missing? Clues, anybody?
>
> Greetings
> --
> Peter Kerkhof (MCSE, MCT)

-- Hello Greg,

Your template suggestion did the trick. Now I can devise a customized lab
using this mechanism. Thanks a lot.

Peter Kerkhof (MCSE, MCT)


"Greg Lindsay [MSFT]" wrote:

> Hi Peter,
>
> It sounds like a problem with the enhanced key usage (EKU) of the
> certificate you installed. Check that it has either Client Authentication
> (1.3.6.1.5.5.7.3.2) or Server Authentication (1.3.6.1.5.5.7.3.1), and that
> it is found in the local computer certificate store (not the user
> certificate store).
>
> Here are a couple of references that may help:
> http://support.microsoft.com/kb/253498
> http://www.microsoft.com/technet/pro...o/ispstep.mspx
>
> You can also install a certificate using the templates (certtmpl.msc) on
> your CA. The Web server template has the server authentication EKU, and the
> Workstation Authentication template has a client auth EKU. You will need to
> make sure the machine name or user account has permission to enroll, then
> you can request one of these certificates. Instead of modifying permission
> on the default templates, you might want to duplicate one or the other and
> create your own custom certificate. If you do this, be sure to publish the
> new template first by right-clicking certificate templates in the
> certsrv.msc console (new..certificate template to issue).
>
> I hope this helps! If I can be of more assistance, please send me an email
> (see below, remove the "online" to get the correct email address)
>
> --
> Greg Lindsay [MSFT]
> (E-Mail Removed)
>
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
>
> "Peter Kerkhof" <(E-Mail Removed)> wrote in message
> news:C97B4B02-B02D-40B7-8C9F-(E-Mail Removed)...
> > Hello everybody,
> >
> > Why is it that I have no difficulty in finding references to
> > certificate-based IPsec-connections, but a waterproof step-by-step seems
> > nowhere to be found? I am currently using two virtual 2003 Enterprise
> > Servers
> > that use Ipsec when establishing ICMP sessions. On one of them I installed
> > a
> > CA. The root CA certificate is installed on both machines. However, each
> > time
> > I select Use a certificate from this Certificate Authority as the
> > authentication method to be used in my ICMP Ipsec policy (the configured
> > action is to require security) the SA Negotiation fails. As soon as I
> > switch
> > to pre-shared key authentication, the connection is established. It would
> > seem therefore that the problem has to do with acquiring the right
> > certificate. What am I missing? Clues, anybody?
> >
> > Greetings
> > --
> > Peter Kerkhof (MCSE, MCT)
>
>
>