Installing Certificates for VPN Connections

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

A certificate infrastructure is a requirement for L2TP/IPSec-based VPN connections. Certificates provide stronger authentication security than password-based authentication does.

To provide a certificate infrastructure for a VPN client that makes L2TP/IPSec connections:

  1. Install a certificate in the Local Computer certificate store on the VPN server.

  2. Install a user certificate in the Current User certificate store of each client.

    The certificate provides authentication for establishing IPSec security associations (SAs).

To provide a certificate infrastructure for user-level authentication with EAP-TLS:

  1. Install a certificate on the authenticating server for the VPN server.

  2. If you are not using smart cards, install a registry-based user certificate on each client.

    -Or-

    If you are using smart cards, install a certificate on each smart card distributed to a VPN client user.

Before you can install a certificate, a certification authority must be present and reachable. For a computer in a Windows Server 2003 domain, you can use auto-enrollment or the Certificates snap-in to install a certificate. Alternatively, you can install a certificate by using a Web browser to connect the VPN client to the CA Web enrollment agent. To install a certificate by using a CA Web enrollment agent, perform the following procedure:

To use the CA Web enrollment tool to install a certificate on a VPN client

  1. Use a Web browser to connect the VPN client to the CA Web enrollment tool at http:**//ServerName/**certsrv, where ServerName is the name of the server hosting the CA.

  2. Click Request a certificate, and then click Advanced Certificate Request.

  3. Click Create and submit a request to this CA to display a Web form for entering certificate information.

  4. Enter the required information on the Web form, and then click Submit.

  5. Click Install this certificate.

For information about:

  • Using the Certificates snap-in to install a certificate, see "Using Certificates" in Help and Support Center for Windows Server 2003.

  • Using certificate autoenrollment to install a certificate, see "Certificate autoenrollment" in Help and Support Center for Windows Server 2003.

  • Deploying smart cards, see "Planning a Smart Card Deployment" in Designing and Deploying Directory and Security Services of this kit.