Distributing Certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you configured the security settings of the VPN Entries in the CMAK wizard to use L2TP/IPSec, you might need to distribute certificates to your users. The certification authority (CA) is generally set up as a Web server. You can either have your CA on the Internet or on your intranet.

Internet Enrollment

With Internet enrollment, users go to a public Web site to obtain their certificates. Internet enrollment is useful if you are using a CA that is provided by another company.

Intranet Enrollment

If certificates are optional but recommended, users can obtain their certificates after connecting to your intranet. Configure the service profile to attempt authentication by using L2TP first. This setting allows the client to attempt a connection using L2TP; if L2TP is not available, the client connects using PPTP. When you configure this setting, the client will first attempt to connect using L2TP each time the client connects. By using this setting, clients can connect the first time by using PPTP and get a certificate. After receiving the certificate, subsequent connections will use L2TP.

You can configure the Connection Manager Certificate Deployment Tool, Cmgetcer.dll, as a custom action. This tool enables the client to get a certificate from the certification authority.

For more information about certification authorities and certificates, see "Designing a Public Key Infrastructure" in Designing and Deploying Directory and Security Services of this kit.