Using Certificates with IPSEC

Archived from groups: microsoft.public.win2000.security (More info?)

How do you implement IPSEC using Certificates? Right now I have it set up
with Kerberos. Does the Client/Server have to have each others Certificate,
etc?
4 answers Last reply
More about using certificates ipsec
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
    Scotty@discussions.microsoft.com says...
    > How do you implement IPSEC using Certificates? Right now I have it set up
    > with Kerberos. Does the Client/Server have to have each others Certificate,
    > etc?
    >
    Both endpoints (computers) must have a certificate that chains to the
    same root CA, or to CAs that are trusted by the opposite endpoint.

    Brian
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    What is the process of trusting other computers for IPSEC using Certificates?

    "Brian Komar" wrote:

    > In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
    > Scotty@discussions.microsoft.com says...
    > > How do you implement IPSEC using Certificates? Right now I have it set up
    > > with Kerberos. Does the Client/Server have to have each others Certificate,
    > > etc?
    > >
    > Both endpoints (computers) must have a certificate that chains to the
    > same root CA, or to CAs that are trusted by the opposite endpoint.
    >
    > Brian
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <3922BF52-8930-4BC0-80E2-490DEED7D733@microsoft.com>,
    Scotty@discussions.microsoft.com says...
    > What is the process of trusting other computers for IPSEC using Certificates?
    >
    > "Brian Komar" wrote:
    >
    > > In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
    > > Scotty@discussions.microsoft.com says...
    > > > How do you implement IPSEC using Certificates? Right now I have it set up
    > > > with Kerberos. Does the Client/Server have to have each others Certificate,
    > > > etc?
    > > >
    > > Both endpoints (computers) must have a certificate that chains to the
    > > same root CA, or to CAs that are trusted by the opposite endpoint.
    > >
    > > Brian
    > >
    >
    1) You have to deploy the certificates to the two endpoint computers
    2) Change the authentication method for the IP Security Rule to
    certificates, rather than Kerberos or pre-shared keys. When you
    designate the certificate on the AUthentication Methods tab, you then
    designate the root CA certificate that must be used.

    Correcting myself, you must use the same root CA on both ends. The CA
    can be different CAs that chain to the same root CA.

    Brian
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    One more thing:
    Make sure the certs are machine certs and not user certs.

    --
    Louise Bowman
    (MSFT)
    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Brian Komar" <bkomar@nospam.identit.ca> wrote in message
    news:MPG.1c64744c3faedf529896c2@msnews.microsoft.com...
    > In article <3922BF52-8930-4BC0-80E2-490DEED7D733@microsoft.com>,
    > Scotty@discussions.microsoft.com says...
    > > What is the process of trusting other computers for IPSEC using
    Certificates?
    > >
    > > "Brian Komar" wrote:
    > >
    > > > In article <FAD1D514-2475-41A9-8081-D1C35E4B9146@microsoft.com>,
    > > > Scotty@discussions.microsoft.com says...
    > > > > How do you implement IPSEC using Certificates? Right now I have it
    set up
    > > > > with Kerberos. Does the Client/Server have to have each others
    Certificate,
    > > > > etc?
    > > > >
    > > > Both endpoints (computers) must have a certificate that chains to the
    > > > same root CA, or to CAs that are trusted by the opposite endpoint.
    > > >
    > > > Brian
    > > >
    > >
    > 1) You have to deploy the certificates to the two endpoint computers
    > 2) Change the authentication method for the IP Security Rule to
    > certificates, rather than Kerberos or pre-shared keys. When you
    > designate the certificate on the AUthentication Methods tab, you then
    > designate the root CA certificate that must be used.
    >
    > Correcting myself, you must use the same root CA on both ends. The CA
    > can be different CAs that chain to the same root CA.
    >
    > Brian
Ask a new question

Read More

Security Microsoft Windows