Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 706
  • Last Modified:

Certification Authority

Hi,

I've implement Certification Authority within our network and have a few questions.

If I open the MMC for Cert Authority and look at Issued Certicates I can see that Certificates have been automatically issued to all clients and servers except DC's, is this normal?

Also, the main reason that I installed this was so that I could create a certificate to be used with a remote VPN using L2TP but haven't been able to figure out how to do this yet.  Any help would be great.

Since having this service installed I've notice a noticable increase in speed when accessing network resources!!!

Thanks in advance.
0
ukking
Asked:
ukking
  • 2
  • 2
1 Solution
 
KingHollisCommented:
ukking,

Is this a Windows 2003 environment?
In Windows 2003, machine [computer] certificate auto-enrollment is configured by default. In Window 2000 you have to manually configure this in a GPO. Navigate to the Default Domain Policy GPO-->Computer Configuration-->Windows Settings-->Security Settings-->Public Key Policies-->Automatic Certificate Request Policies. Here you should see Computer to indicate computer certs are auto-issued. Right-mouse click, select New-->Automatic Certificate Request-->Domain Controllers. You will need to refresh the policy in order to get the DC to initiate the enrollment. Domain controllers should get a Domain Controller certificate. If the CA is a DC, it will have two-- one for the CA and one DC one. Create a MMC snap-in and select Certificates for local machine--then look under Personal->Certificates and you should see them.

The long and short of setting up L2TP VPNs is it is merely a PPTP VPN with IPSec policies enabled. So, once you run through the wizard to set up your VPN [one calling and one answering] selecting the "Use L2TP first then PPTP", you merely set up an IPSec policy to enforce the use of IPSec when initiating communications with the other location. You can make this as specific as just PPTP traffic or all traffic. I suggest you set it up to require encryption for all traffic--makes testing easier [even pings will initiate the IPSec communication]. Initially, configure your IPSec policy to use a preshared key [a password] to authenticate the connection to test it. Once you are certain it works [use ipsecmon.exe to view it], then you can edit the policy to use the certificate issued to your machines. Just make sure that both machines have computer certificates from the same certificate authority or root.

So, here are useful links with the details of what I explained:
Setting up Site-to-site VPN [PPTP]
http://www.microsoft.com/downloads/details.aspx?FamilyID=7424168e-f745-4450-b671-aac2c79568eb&DisplayLang=en

Setting up IPSec
http://www.microsoft.com/downloads/details.aspx?FamilyID=7424168e-f745-4450-b671-aac2c79568eb&DisplayLang=en

Hope this helps.
Best of luck!
0
 
ukkingAuthor Commented:
Sorry,

Windows 2000.  I've seen this Q before and I couldn't use it with windows 2000.
0
 
ukkingAuthor Commented:
Sorry should read the WHOLE question before answering.

That's excellent!!!

Thanks very much.
0
 
KingHollisCommented:
No worries! Anything to help fellow royalty.

Thanks for your consideration.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now