Restoring Certificate from System State?

[Guest]

Hi,

I have a user who I believe has a corrupt machine certificate. He is trying
to connect to our VPN, and he gets an error says no valid certificate found
for connection. I've talked him through opening an MMC with certificate snap
in, and it shows his machine certificate as 'not yet valid or expired'
although the valid from date is 16th March 06 until 16th March 07. He has a
full system backup, including the system state from about a month ago, I
said we could try to restore the certificate from there, however he doesn't
want to do a full restore of the system state, as he's installed a lot of
software, and the registry changes might screw things up. Is there a way of
just restoring the certificate store? Where is this located? Is it the 'COM+
Class' section of system state? Is there a physical location that can be
restored, I always thought there was somewhere in windows\system32?

He doesn't want to have to come into the office, as he lives half way across
the country, and it would be about a 4hr drive.

Cheers

Ben

 

[Guest]

How do I restore my computer without a cd?

 

[Guest]

Oh dear, we have a Troll! Looks like it must be the school holidays again!
Go back under your bridge!

 

[Vincent Xu [MSFT]]

Hi Ben,

As the certificate is designed for security reasons, we can restore a
cerficate only if you have backed it up before. The backup steps as below:

1. Run "certmgr.msc"
2. Go to the certificate you want to backup
3. Right click the certificate and All Task -> Export
4. Follow the wizard to export the certificate.

From your description, I suspect you didn't do this before, so now we have
to do is:

1. Revoke the old certificate at server side first.
2. Let the customer request a new certificate.

I suppose the customer should can request the certificate through Internet,
right?


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Guest]

I suppose the customer should can request the certificate through

Internet,
right?

Hi Vincent,

Thanks for the reply.

We do not have our CA enrollment pages published to the internet, so the
users can not currently request a certificate, unless in the office.
However, if we were to publish the site, currently there is no option to
select 'computer' from the certificate template drop down box. How do I go
about publishing a new template to the enrollment page? I've googled
"publish certificate template enrollment page" but can't find any details on
how to do it, do you have link to a page I can read?

Cheers

Ben

 

[Vincent Xu [MSFT]]

Hi,

Check following steps:


1. Open Certification Authority Manager.
2. Open Policy Settings.
3. Right Click on Policy Settings, choose New, choose Certificate to Issue.
4. Select IPSEC and click OK.
5. Repeat steps 5 and 6 for IPSEC (Offline Request).
6. Close Certification Authority Manager.
7. Move to a Domain Controller, if the CA is a Domain Controller stay put.
8. Open Active Directory Sites and Services.
9. Select "Active Directory Site and Services [YOUR DOMAIN HERE] on the
left pane.
10. Click on View and check "Show Services Node"
11. Expand Services on the left pane.
12. Expand Public Key Services.
13. Select Certificate Templates.
14. Double Click "IPSECIntermediateOffline" to open its properties.
15. Select the Security tab.
16. Select Authenticated Users.
17. Check the box for Enroll under the Allow column.
18. Close the Certificate Template Properties.
19. Repeat steps 16 - 20 for "IPSECIntermediateOnline". Please note the
different between Online and Offline.
20. Close Active Directory Sites and Services.
21. Reboot the machine.

Steps to acquire a certificate for machines that are not in the CA's domain
:

1. Go to the Web Enrollment Web site for the CA.

2. Select the "Advanced Request" option and click Next.
3. Select "Submit a certficate request to this CA using a form" and click
Next.
4. Wait for the page to load completely.
5. Choose IPSEC (Offline request) for the certficate Tempate.
6. For the NAME field put in the NETBIOS name of the machine.
7. Check the box for "Use local machine store"
8. Click Submit. All of the other fields are not relevant for this
request.
9. You should have an option to install the certificate.
10. Click Open on the Cert.
11. Install the certficate.

Hope this helps.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------