Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
A certificate infrastructure is a requirement for L2TP/IPSec-based VPN connections. Certificates provide stronger authentication security than password-based authentication does.
To provide a certificate infrastructure for a VPN client that makes L2TP/IPSec connections:
Install a certificate in the Local Computer certificate store on the VPN server.
Install a user certificate in the Current User certificate store of each client.
The certificate provides authentication for establishing IPSec security associations (SAs).
To provide a certificate infrastructure for user-level authentication with EAP-TLS:
Install a certificate on the authenticating server for the VPN server.
If you are not using smart cards, install a registry-based user certificate on each client.
-Or-
If you are using smart cards, install a certificate on each smart card distributed to a VPN client user.
Before you can install a certificate, a certification authority must be present and reachable. For a computer in a Windows Server 2003 domain, you can use auto-enrollment or the Certificates snap-in to install a certificate. Alternatively, you can install a certificate by using a Web browser to connect the VPN client to the CA Web enrollment agent. To install a certificate by using a CA Web enrollment agent, perform the following procedure:
Use a Web browser to connect the VPN client to the CA Web enrollment tool at http:**//ServerName/**certsrv, where ServerName is the name of the server hosting the CA.
Click Request a certificate, and then click Advanced Certificate Request.
Click Create and submit a request to this CA to display a Web form for entering certificate information.
Enter the required information on the Web form, and then click Submit.
Click Install this certificate.
For information about:
Using the Certificates snap-in to install a certificate, see "Using Certificates" in Help and Support Center for Windows Server 2003.
Using certificate autoenrollment to install a certificate, see "Certificate autoenrollment" in Help and Support Center for Windows Server 2003.
Deploying smart cards, see "Planning a Smart Card Deployment" in Designing and Deploying Directory and Security Services of this kit.