Install Certificate for IPSev/VPN use

  • Thread starter Dennis van Vroonhoven
  • Start date
D

Dennis van Vroonhoven

Hi,

How do you request and install a certificate for L2TP/IPSec VPN use when
it's no member of a domain (just a home computer from an employee) and the
CA is behind a firewall and not accessable from the outside? Can I request
and export a certificate directly on the server? How can I solve this
problem?

Thanks in advance,
Dennis
 
P

Priya Raghavan [MSFT]

Hi Dennis,

To get a certificate for you client which is not in the domain, you can
Export the certificate from a machine which already has the certificate from
this CA::

Steps:

1. To open Certificates, click Start, click Run, type mmc, and then click
OK.
Click File -> Add/Remove Snap in, Click Add, Choose Certificates
from the list, Choose Computer Accounts -> Local Computer
Click Close and then Ok
2. Check the HELP for Certificates - In How To -> Import and Export
Certificates.

This will list the steps to export the certificate from a machine in the
domain and import it into a machine not in the domain.

Thanks,
Priya.
 
D

Dennis van Vroonhoven

Hi,

Thanks for the reply but when I do this I get Error 786: The L2TP connection
attempt failed because there is no valid machine certificate on your
computer for security authentication.
I did import the certificate in the Local Computer/Personal Store, the same
store where I did the export from on the other computer.

In the explaination he suggests the following reasons:
* Your computer's certificate is invalid, expired, or lacks the private key
that it needs.
* None of your computer's certificates are trusted by the server.

Can you help me with this?

Thanks,
Dennis
 
J

James

Dennis van Vroonhoven said:
Hi,

Thanks for the reply but when I do this I get Error 786: The L2TP connection
attempt failed because there is no valid machine certificate on your
computer for security authentication.
I did import the certificate in the Local Computer/Personal Store, the same
store where I did the export from on the other computer.

In the explaination he suggests the following reasons:
* Your computer's certificate is invalid, expired, or lacks the private key
that it needs.
* None of your computer's certificates are trusted by the server.

Can you help me with this?

I've been playing with this and I have the same problem, although I got a
certificate straight from the CA web page, it imported OK and seems fine. I
did read in a book that if the client machine isn't a member of the domain
it won't work and you just need to use PPTP, but I'm not entirely sure why?
I'll have another play with it soon hopefully as its one of those things
that bugs me, because in theory, it should work!
James
 
D

Dennis van Vroonhoven

If you request a certificate (on a machine within the network) via the
webrequest you must also set under key options "Mark keys as exportable".
Now you can start the mmc with the certificates snap-in and you export the
key you've just installed, you're able to include the private keys and
certificate path. Now import these keys into the local machine store on the
pc you want to have acces and it works.
 
D

Daniel Edgar

Ok that worked but now when I have some dial in from outside the network
they get some error about not finding the security policy error 791 I think.
But if I dial from a workstation inside the network it works.

Could this be some sort of nat problem?
 
P

Priya Raghavan [MSFT]

Ok, so this means you have exported your personal certificate and installed it in your machine to use when you are not in the domain.
Then you need to install the root certificate - which means the certificate of the CA who issued your personal cert.

To check if you have the root cert, do the following:
* Double click on the certificate name in the details pane.
* This will open the certificate and will tell you the name of CA who issued your certificate.
* Check the Trusted Root Certificates Authority -> Certificates and see if your Root Cert is in the list of certs which appear.

If not, then you need to export the root cert also from the machine in the domain and install it in your machine.
The procedure for exporting and installing Root Cert is the same as you did for personal certs. Only difference is that you need to install in the Trusted Root Cerificates Authority Store instead of personal store.

Thanks,
Priya.


This posting is provided AS IS and offers no warranties.
 
P

Priya Raghavan [MSFT]

No, James, even if your machine is not in the domain, you can still make an
L2TP connection, provided your server and client have the certificates
installed on them properly.

Thanks,
Priya.

This posting is AS IS and offers no warranties.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top