[Last Call] Learn how to a build a cloud-first strategyRegister Now


Cannot Create IPSEC Certificates using Windows Server 2000 Certificate Authority

Posted on 2007-08-08
Medium Priority
Last Modified: 2009-06-14
I am trying to set create certificates for an IPSEC enabled VPN using a Windows 2000 server with Microsoft's CA. I have set up the CertSrv services and can successfully get an "Basic EFS" or "User" certificate through the web based certificate services "http://servername/CertSrv" (request certificate->advanced request ->Submit a certificate request using ...." . .  The problem is that the certificate template  type "IPSEC" does not show in the list of Certificate Templates.  Only "Basic EFS" or "User".

I checked the CA configuration and there is a profile for IPSEC enabled, but it still does not show up in the list.
Question by:vrobison
  • 2

Expert Comment

ID: 19701785
There are usually three reasons why a certificate template won't appear in either the MMC enrollment wizard or the web-based enrollment page:
1. The CA to which the user/computer has access doesn't have the cert template in its list of published cert templates.  [Sounds like you've already confirmed this requirement.]
2. The cert template doesn't allow "Read" and "Enroll" permissions for the user/computer who is the enrollment client of interest.  [This is the one that usually bites me on the butt.]
3. The cert template just simply not allowed to issue to a user (it's a computer-only cert template).  I don't remember exactly what kind of cert template this describes, but I remember fighting for a few weeks to get some scenario to work, and finally gave up when I was told that the CA simply wouldn't allow the user account to enroll that type of cert.  [I don't think the basic IPSEC cert template is one of these "special" templates, but keep that in mind if we can't fix it any other way.  I *think* this just applies to the legacy "version 1" certificate templates, that aren't editable, where the Subject Name tab has "Computer or other device" selected under "Type of subject".]

To enable #2, you should take the following steps:
1. Start the Active Directory Sites and Services console.
2. Under the View menu, toggle "Show Services Node".  [This hides some really useful functionality, so I don't understand why Microsoft decided to hide this.]
3. Browse into Services > Public Key Services > Certificate Templates and you'll see all the possible cert templates that could be published by CAs in your AD forest.
4. Right-click the cert template of interest (in your case, the one labelled IPSEC), and look at the Security tab.
5. Look at the groups currently listed.  For any group that the intended user is a member of, do they have Read and Enroll permissions?  If not, is the user a member of any set of groups that *in aggregate* have Read and Enroll permissions?  [The Allow permissions are cumulative, so it's not *necessary* to grant *both* Read and Enroll to a single group.]
6. If not, then all you have left to do is decide which way you'll assign permissions: will you add the user to one of the listed groups (or one of the groups nested in those groups), or will you create a new AD group, add the user (and others) and assign Read/Enroll/Autoenroll permissions to that group?

Hope this helps.  Please report back on how your investigation goes.

Accepted Solution

poseidoncanuck earned 2000 total points
ID: 19866465
Y'know, I noticed this question still hasn't been closed so I took another look at it, and it looks like I screwed up my earlier answer.

Now that I'm thinking about this problem tonight, I realize that the IPSEC digital certificate will only be able to be enrolled by Computers, not Users.  However, the web enrollment pages are only intended for Users, not Computers.  Not only are you authenticating as a User (that probably doesn't have specific permissions to the IPSEC certificate), but I believe that CertSrv (or something in the web enrollment pages) will actually deny any attempts to enroll a Computer-oriented certificate like the default IPSEC certificate.

Instead, I'd try using the Certificates Snap-in and try manually enrolling the computer for this certificate from there:
- connect the Windows computer to the network so you're sure it has connectivity to the CA.
- logon to the computer as an account that is an administrator of the computer
- click the Start button, choose Run, then type "MMC.EXE".  
- File > Add/Remove Snap-in > Add > Certificates
- When it asks, choose "Computer account"
- choose Next, Finish, then Close, then OK
- browse "Certificates (Local Computer)", Personal, Certificates
- right-click the Certificates folder, choose "All Tasks", then "Request New Certificate".
- follow the wizard, then wait to see if you're successful with the enrollment request.

If this manual enrollment using the Certificates snap-in works, then Autoenrollment should work fine for any Computer that's a member of the domain.

Also note: in a multi-domain forest, the permissions on the Certificate Templates often have to be updated to allow all Computers or Users from additional domains to be able to enroll MS CA-generated certificates.  That's because when Windows installs the CA on a server, it'll configure the default permissions with domain groups from the domain where the server is a member.  However, it's not smart enough to automatically find all other trusted domains and ALSO add permissions for the same domain groups from other domains in the forest.  This is something you'd have to do by hand, and while nothing in your message indicates this might be the cause, it's one more thing to look for.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question