Solved

Certificate based authentication

Posted on 2013-12-18
8
350 Views
Last Modified: 2014-01-26
Hi Experts,

I want to setup standalone CA for issuing certificates for outside domain laptops.
Can you please send me the link or file if you have how to create certificates.
I am trying this more then 1 weeks, but not able to fix it seems some thing i am missing which i am not sure.
Can you please sugg whether root certificate to install/ place it in VPN Appliance hardware or Server Certificate to place, and also do i need to install server certificate along wiht client certificate for authentication.

Regards,
Skumar.
0
Comment
Question by:Skumar_CCSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39726605
It's tough to say for sure, but what are you trying to secure using the certificates? Typically certs are issued via automation like GPO's or scripts. You can also send certificates to users emails or in download links for them to import. If the users are using a browser to make a connection you can tell them to Accept the certificate found at url xyz... I'm sure you've seen self-signed or expired certificate's prompt you to accept them before, it's the same thing for you if the users are using a browser.
We're going to need more detail on what you are using the certs for.
-rich
0
 

Author Comment

by:Skumar_CCSA
ID: 39727589
HI Rich.

Setting up 2FA for VPN users.

SSL certificate Authentication. ( Root Certificate will be placed in VPN Appliance Hardware, Client Certificate will be installed on Laptops)

VPN appliance will verify client certificate and sign, after successful sign it will send request to RADIUS server for OTP authentication.

I have checked it works well if i remove certificate authentication process, but SSL certificate cannot be skipped in the design.

No GPO since users laptop will b outside network and not member of domain, and cannot afford to have public site for laptop users to download the certificate from web or by them self creating certificate request. Planned all non-domain laptops will have certificates installed manually prior approvals since they are outside users.

I have installed standalone CA and created Root Certificates, and placed in BIG-IP VPN Appliance for certificate verification. VPN Appliance will check for client certificates if laptop user does not have client certificate then the session will be terminated.

Created client certificates and installed on laptop, after the installation i can see the client certificates located in the personal certificate window but it did not work.

Can you please me out with steps for above solution, not sure what is key steps being missed.

Regards,
Skumar
0
 

Author Comment

by:Skumar_CCSA
ID: 39729666
Thanks for your kind help....
Appreciated......
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 30

Expert Comment

by:Rich Weissler
ID: 39731813
I apologize that I'm responding without spending more time reading, but rushed in rl... and wanted to at least give you some links.

Installing certificates for VPN connections shouldn't have changed much between WinServer 2003 and 2008... so that technet article should help.  (It's essentially using the advanced request... still a relatively manual process on the workstation.)

This SANS paper on the subject might help, although it is more geared towards the cisco hardware solution.

If you're using your own root CA, yes, you'll need the CA cert on each of the devices that'll be trusting (usually along with intermediate CA certs.)  The server cert shouldn't be required to be installed on the client though... but the client will need to be able to access the crl location published in the cert.
0
 

Author Comment

by:Skumar_CCSA
ID: 39731836
Hi,

Thanks for response and suggestions.
My design is to have certificate authentication at first place and then RADIUS account authorization.

Yes all client laptops will be issued client certificate for authentication and the root Ca will be imported in the VPN appliance hardware for 1 st level authentication as on when client connect to VPN.I have did everything as described in the steps but something missing not sure what it is or I am doing wrong....

I tried redoing all still stuck at the same stage...can you please share some link if you know how to create own SSL ROOT certificate and client certificate.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 39731949
I apologize, I'm not certain I understand.  When you say, create your own SSL ROOT certificate, you aren't referring to creating a self signed certificate for SSL, are you?  Or are you attempting to get the a copy of the CA's public certificate so you can import it elsewhere?  (The first link in my original post will have the simplified instructions for creating the client cert, on the client... and you can export that cert in the certificate MMC.)
0
 

Author Closing Comment

by:Skumar_CCSA
ID: 39810941
After going through your link i am able to deploy CA and issue certificates.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question