Sign in with
Sign up | Sign in
Your question

Using Certificates with IPSEC

Last response: in Windows 2000/NT
Share
January 28, 2005 3:25:05 PM

Archived from groups: microsoft.public.win2000.security (More info?)

How do you implement IPSEC using Certificates? Right now I have it set up
with Kerberos. Does the Client/Server have to have each others Certificate,
etc?

More about : certificates ipsec

Anonymous
a b 8 Security
January 28, 2005 6:33:54 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
Scotty@discussions.microsoft.com says...
> How do you implement IPSEC using Certificates? Right now I have it set up
> with Kerberos. Does the Client/Server have to have each others Certificate,
> etc?
>
Both endpoints (computers) must have a certificate that chains to the
same root CA, or to CAs that are trusted by the opposite endpoint.

Brian
January 28, 2005 6:33:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

What is the process of trusting other computers for IPSEC using Certificates?

"Brian Komar" wrote:

> In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
> Scotty@discussions.microsoft.com says...
> > How do you implement IPSEC using Certificates? Right now I have it set up
> > with Kerberos. Does the Client/Server have to have each others Certificate,
> > etc?
> >
> Both endpoints (computers) must have a certificate that chains to the
> same root CA, or to CAs that are trusted by the opposite endpoint.
>
> Brian
>
Related resources
Anonymous
a b 8 Security
January 28, 2005 7:10:40 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <3922BF52-8930-4BC0-80E2-490DEED7D733@microsoft.com>,
Scotty@discussions.microsoft.com says...
> What is the process of trusting other computers for IPSEC using Certificates?
>
> "Brian Komar" wrote:
>
> > In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
> > Scotty@discussions.microsoft.com says...
> > > How do you implement IPSEC using Certificates? Right now I have it set up
> > > with Kerberos. Does the Client/Server have to have each others Certificate,
> > > etc?
> > >
> > Both endpoints (computers) must have a certificate that chains to the
> > same root CA, or to CAs that are trusted by the opposite endpoint.
> >
> > Brian
> >
>
1) You have to deploy the certificates to the two endpoint computers
2) Change the authentication method for the IP Security Rule to
certificates, rather than Kerberos or pre-shared keys. When you
designate the certificate on the AUthentication Methods tab, you then
designate the root CA certificate that must be used.

Correcting myself, you must use the same root CA on both ends. The CA
can be different CAs that chain to the same root CA.

Brian
Anonymous
a b 8 Security
January 28, 2005 9:02:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

One more thing:
Make sure the certs are machine certs and not user certs.

--
Louise Bowman
(MSFT)
This posting is provided "AS IS" with no warranties, and confers no rights.
"Brian Komar" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1c64744c3faedf529896c2@msnews.microsoft.com...
> In article <3922BF52-8930-4BC0-80E2-490DEED7D733@microsoft.com>,
> Scotty@discussions.microsoft.com says...
> > What is the process of trusting other computers for IPSEC using
Certificates?
> >
> > "Brian Komar" wrote:
> >
> > > In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
> > > Scotty@discussions.microsoft.com says...
> > > > How do you implement IPSEC using Certificates? Right now I have it
set up
> > > > with Kerberos. Does the Client/Server have to have each others
Certificate,
> > > > etc?
> > > >
> > > Both endpoints (computers) must have a certificate that chains to the
> > > same root CA, or to CAs that are trusted by the opposite endpoint.
> > >
> > > Brian
> > >
> >
> 1) You have to deploy the certificates to the two endpoint computers
> 2) Change the authentication method for the IP Security Rule to
> certificates, rather than Kerberos or pre-shared keys. When you
> designate the certificate on the AUthentication Methods tab, you then
> designate the root CA certificate that must be used.
>
> Correcting myself, you must use the same root CA on both ends. The CA
> can be different CAs that chain to the same root CA.
>
> Brian
!