HOW TO: Install a Certificate for Use with IP Security (253498)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q253498

IN THIS TASK


SUMMARY

When IP Security (IPSec) is configured to use a certification authority (CA) for mutual authentication, you must obtain a local computer certificate. You can obtain this certificate from a third-party CA or you can install Certificate Services in Windows to create your own CA. This article describes how to install a local computer certificate for use with IPSec from a stand-alone Windows CA.

The request for the local computer certificate is requested by using HTTP. Because a local computer certificate must be used with IPSec, you must submit an advanced request to the CA to specify this.

back to the top

Installing a local Computer Certificate from a Stand-Alone Windows Certificate Authority

  1. The request is a Web address that contains the IP address or name of the Certificate server, with "/certsrv" appended. In your Web browser, type the following Web address

    http://IP address of CA/certsrv

    Where IP address of CA is the IP address or name of the Certificate server.

  2. In the initial Welcome screen of the Certificate server, click Request a certificate, and then click Next.
  3. In the "Choose Request Type" screen, click Advanced request, and then click Next.
  4. In the "Advanced Certificate Requests" screen, click Submit a certificate request to this CA using a form, and then click Next.
  5. In the "Advanced Certificate Request" screen, type your name and your e-mail name in the appropriate boxes.
  6. Under Intended Purpose, select Client Authentication Certificate or IPSec Certificate. If you choose IPSec Certificate, then this certificate will only be used for IPSec.
  7. Under Key Options, click Microsoft Base Cryptographic Provider v1.0, Signature for Key Usage and 1024 for Key Size.
  8. Leave the Create new key set option enabled (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store.
  9. Leave all the other options set to the default value unless you need to make a specific change.
  10. Click Submit.
  11. If the Certificate Authority is configured to issue certificates automatically, the "Certificate Issued" screen should appear. Click Install this Certificate. The "Certificate Installed" screen should appear with the message "Your new certificate has been successfully installed."
  12. If the Certificate Authority is not configured to issue certificates automatically a "Certificate Pending" screen appears, requesting that you wait for an administrator to issue the certificate that was requested. To retrieve a certificate that an administrator has issued, return to the Web address and click Check on a pending certificate. Click the requested certificate, and then click Next. If the certificate is still pending, the "Certificate Pending" screen appears. If the certificate has been issued, the "Install this Certificate" screen appears.

back to the top

Installing a Local Computer Certificate from an Enterprise Windows 2000 Certificate Authority

  1. The request is a Web address that contains the IP address or name of the Certificate server, with /certsrv appended. In your Web browser, type the following Web address: http://IP address of CA/certsrv

    Where IP address of CA is the IP address or name of the Certificate server.
  2. If the machine you are using is not logged onto the domain already, a prompt to supply domain credentials appears.
  3. In the initial Welcome screen of the Certificate server, click Request a Certificate, and then click Next.
  4. In the Choose Request Type screen, click Advanced Request, and then click Next.
  5. In the Advanced Certificate Requests screen, click Submit a certificate request to this CA using a form, and then click Next.
  6. In the Advanced Certificate Request screen for the Certificate Template option, select Administrator.
  7. Under Key Options, click Microsoft Base Cryptographic Provider v1.0, Signature for Key Usage and 1024 for Key Size.
  8. Leave the Create new key set option enabled (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store.
  9. Leave all the other options set to the default value unless you need to make a specific change.
  10. Click Submit.
  11. The Certificate Issued screen should appear. Click Install this Certificate. The Certificate Installed screen should appear with the message:

    Your new certificate has been successfully Installed


back to the top

Verifying That the Local Computer Certificate Has Been Installed

After the certificate is installed, verify the location of the certificate by using the Certificate (Local Computer) snap-in in Microsoft Management Console (MMC). Your certificate should appear under Personal.

If the certificate you have installed does not appear here, the certificate was installed as a "User certificate request," or you did not click Use local machine store within the advanced request.

back to the top

REFERENCES

For information about installing Certificate Services in Windows, see the following article in the Microsoft Knowledge Base:

231881 How to Install/Uninstall a Public Key Certificate Authority



For more information, see the "Step-by-Step Guide to End-to-End Security: An Introduction to Internet Protocol" document located at the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx


back to the top
Modification Type:MinorLast Reviewed:12/9/2005
Keywords:kbenv kbHOWTOmaster kbIPSec KB253498 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.