Certificates on Floppy Disk?

Discussion in 'Server Security' started by Marc, Sep 1, 2004.

  1. Marc

    Marc Guest

    I want to implement L2TP with a Certificate Server on SBS 2003.

    Normally to distribute the certificates to the clients, these have to be
    connected to the network. Is there no other way? F.e. copying the
    certificate on a CD or Floppy, and then distributing the certificate to the
    client-Pc with this CD/Floppy...

    How can this been done?

    Marc
     
    Marc, Sep 1, 2004
    #1
    1. Advertisements

  2. You can use Web Enrollment and have user request the machine certificate that way,
    though the user will need to be in the local administrator group and do an advanced
    request for router offline certificate and select install to local machine store [at
    least if using an Enterprise CA - may differ a bit for standalone CA]. If this is an
    Enterprise CA you will first have to enable the CA to issues the offline ipsec
    certificate. The link below may help. --- Steve

    http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp
     
    Steven L Umbach, Sep 1, 2004
    #2
    1. Advertisements

  3. You can use Web Enrollment and have user request the machine certificate that way,
    though the user will need to be in the local administrator group and do an advanced
    request for router offline certificate and select install to local machine store [at
    least if using an Enterprise CA - may differ a bit for standalone CA]. If this is an
    Enterprise CA you will first have to enable the CA to issues the offline ipsec
    certificate. The link below may help. --- Steve

    http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp
     
    Steven L Umbach, Sep 1, 2004
    #3
  4. You can use Web Enrollment and have user request the machine certificate that way,
    though the user will need to be in the local administrator group and do an advanced
    request for router offline certificate and select install to local machine store [at
    least if using an Enterprise CA - may differ a bit for standalone CA]. If this is an
    Enterprise CA you will first have to enable the CA to issues the offline ipsec
    certificate. The link below may help. --- Steve

    http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp
     
    Steven L Umbach, Sep 1, 2004
    #4
  5. Your admin can "Enroll-On-Behalf-Of" each user, once the certificate is
    present on the admin machine he can export it to a portable media and send
    it to the user.
     
    Avi Ben-Menahem [MSFT], Sep 1, 2004
    #5
  6. If you want to place the computer certificates on a floppy or email them to the users
    follow these steps. This is assuming the use of an Enterprise CA and may differ for a
    stand alone CA. Ipsec offline template needs to be added in the Certificate Authority
    Management Console via policy settings/new - certificate to issue.

    -- Enable Web Enrollment on your CA and logon to it as an administrator. You can use
    the computername as in http://CAservername/certsrv.

    -- Select request a certificate then next, select advanced request then next, select
    submit a certificate to this CA then next.

    -- For certificate template select router (offline request). In identifying
    information under name type the name of the computer you are requesting for using the
    fully qualified domain name if in an AD domain as in computer1.mydomain.com. The
    rest of the information in identifying information is optional. Under key options
    select "mark keys as exportable" [ do not select export keys to a file] and select
    "use local machine store". Them select submit ant the bottom of the page.

    -- The next page should sow that the certificate you requested was issue to you and
    give you the option to install this certificate which you want to do. You may receive
    warning messages along the way, just OK those messages.

    -- After done requesting certificates, go to your computer certificate store by using
    mmc and selecting add snapin for certificates for computer account. Go to the
    personal/certificates folder and you should see the certificates you issued and
    installed. Right click one of those certificates and select all tasks/export. The
    export wizard will start. Select next and choose yes for export the private key and
    unselect enable strong protection as user will have to enter private key password
    every time the private key is used unless you want that feature. Select next and
    enter a password for the private key which will need to be communicated to the end
    user in order to open the .pfx file you are going to create. The select a filename
    and browse to where you want to save it. Select finish and you should get a message
    that the export was successful.

    -- You can now distribute that file to the user that needs it. The will open the file
    and need to enter the password you used to protect the private key. The wizard will
    automatically install the private key/certificate. I have noticed that it may install
    in the wrong store - user instead of computer and the certificate will not work for
    L2TP. If that happens instruct the user to open their mmc snapin for computer store
    to see if the certificate is present. If it is not, they will have to go to the
    personal folder for the computer store and select import and then browse to the .pfx
    file to install it to the computer store.

    -- The computer will also need to have the certificate for your Certificate Authority
    in their Trusted Root CA folder in the mmc snapin for computer accounts. You can
    easily export your CA certificate [no need for private key] to a .cer file and
    distribute that to users also to import into their computer. If they open the file
    the wizard should automatically install that certificate for your CA in the right
    folder. --- Steve

     
    Steven L Umbach, Sep 1, 2004
    #6
  7. Marc

    Marc Guest

    Thanks for this very detailed answer!

    Marc

     
    Marc, Sep 2, 2004
    #7
  8. Marc

    Marc Guest

    I've stumbled into a problem:

    select "mark keys as exportable"

    This option is greyed out.

    What could be the reason?

    Marc

     
    Marc, Sep 2, 2004
    #8
  9. Where did you see this when you try to export it from your certificate store?? If so
    you have to select the option for "mark keys as exportable" when you request the
    certificate via Web Enrollment. When I do this I am using a Windows 2000 Enterprise
    Certificate Authority and am logged onto the domain as a domain administrator when
    requesting the certificates. It may be a bit different for Windows 2003.--- Steve

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
    -- more details on Windows 2003 PKI.

     
    Steven L Umbach, Sep 3, 2004
    #9
  10. I fired up my Windows 2003 domain controller to see how Certificate Services was
    different and found out the ipsec offline template does have the "export keys" box
    grayed out when used with Web Enrollment. What you need to do is create a "duplicate
    template" of the ipsec offline template. Open up the CA Management Console and go to
    certificate templates and then right click and select manage. Find the ipsec offline
    template, right click and select duplicate. Create a duplicate template and name it
    something bit different. Then go to the "request handling page" to check allow
    private key to be exportable. Save the template and add it to list of available
    templates. The link below explains a bit more.

    http://www.microsoft.com/resources/...3/standard/proddocs/en-us/ctcon_howto_new.asp

    I noticed after creating the new template that it does not appear in Web Enrollment
    right away but after about 15 minutes it showed up [at least for me] and then allowed
    me to check "mark keys as exportable" and create a certificate/private key in the
    computer store. --- Steve

     
    Steven L Umbach, Sep 3, 2004
    #10
  11. Marc

    Marc Guest

    It seems with every step I stumble into a new problem. I can't say the
    procedure is very straightforward...
    I made the new template, saved it, but then... How can I put it in the list
    of available templates. When I 'Certificate Template to Issue' I see a list,
    but my new template isn't in this list...

    Marc

     
    Marc, Sep 3, 2004
    #11
  12. Marc

    Marc Guest

    Can it have something to do with the fact that the copy of the certificate
    states:

    'Minimim supported CAs: Windows Server 2003, ENTERPRISE Edition,'

    Where the original stated: 'Windows 2000'

    If yes, is there a solution for this, as I don't have the Enterprise
    Edition...

    Marc

     
    Marc, Sep 3, 2004
    #12
  13. Darn. Sounds like you are out of luck. I remember reading in the last link I provided
    for duplicating templates that the duplicate template will only work for Enterprise
    Edition. I was not sure what your SBS2003 would be classified. Can't think of any
    other way than having your remote users connecting to your Certificate Server to
    request a certificate which can be done over the internet. I did it occasionally by
    port forwarding my router to my CA and then used the current IP address I had from my
    ISP in the address bar as http://123.123.123.123/certsrv. Of course I made sure my
    server was fully patched and shut down that port forwarding when not needed so as to
    not leave my CA server exposed to the internet even though authentication is needed
    for access for certificates. --- Steve


     
    Steven L Umbach, Sep 3, 2004
    #13
  14. Marc

    Marc Guest

    Thanks again for the answer.

    Just wondering why Microsoft makes it so hard to implement security. I
    thought they would make it easier?

    Marc

     
    Marc, Sep 4, 2004
    #14
  15. I think it is because the argument can be made for exportable keys being a risk when
    deemed not necessary. Though I think that should be up to the admin to decide. ---
    Steve


     
    Steven L Umbach, Sep 4, 2004
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.