Re: How to Install certificate?
From: Dave Field [MSFT] (davidfi_at_online.microsoft.com)
Date: 02/10/04
- Next message: Mike Hell: "Re: Viewsonic V37 + Sandisk SD Wifi Card"
- Previous message: Paul C: "Re: How to reset the DHCP server address"
- Maybe in reply to: Gustavo: "How to Install certificate?"
- Next in thread: Jacco de Leeuw: "Re: How to Install certificate?"
- Reply: Jacco de Leeuw: "Re: How to Install certificate?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 10 Feb 2004 12:37:26 -0800
Hello,
Bob is right that security admins don't like export of private keys...many
corps do not allow it. However, private key export/import is used quite a
bit in the unix world. Typically, this is accomplished through a PKCS12/PFX
export/import process. This method encrypts the exported cert and keys and
a password can be configured to "unlock" the file for import. Even this
method is looked down upon by many admins though.
The sample source code that was used to build the crtimprt app is avalable
at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncenet/html/certificateenrollment.asp.
The sample code does not enable export/import of the private key. It
actually enrolls through a direct connection from the device to a Windows
2000/2003 Certificate enrollment server. This way, the private key is
generated on the device and never leaves the device, unlike the import
scenario. A number of vendors building 802.11 solutions have added this
certificate enrollment code to their setup utilities to support 802.1x
implementations. Typically, the only Windows certificate template that is
used most of the time is "user" or "clientauth". The cert enroller comes
with a config file allowing you to change the template specified in the
enrollment.
Thanks,
Dave Field
This posting is provideed "AS IS" with no warranties, and confers no rights.
"Bob Murray" <BobMurray999@hotmail.com> wrote in message
news:e5i2cK47DHA.632@TK2MSFTNGP12.phx.gbl...
> I agree, the site:
>
> http://www.jacco2.dds.nl/networking/crtimprt.html
>
> has good stuff if you ARE NOT ON a corporate net with security
> administrators. I think that if you ARE ON a corporate net, there are
some
> things your security admin guys need to do to the CA server. I am not a
> security guy but I suspect that your security guy's might have a bit of a
> coniption fit if you used the techniques on Jacco's page to decrypt the
> certificate so that it can be imported to PocketPC. There are a couple of
> certificate templates (aha!) that need to be set up on the CA server to
> allow PocketPC/PDA access.
>
> Good Luck,
> Bob
>
>
> "Gustavo" <gustavo@NOSPAN.com> wrote in message
> news:eKTr5ay7DHA.2480@TK2MSFTNGP10.phx.gbl...
> > Hello
> >
> > I have a Toshiba e800 and I would like to install an IPSec certificate
for
> a
> > L2TP/IPSec connection.
> >
> > I can not do it by enrollment in the web server because it says that my
> > browser is not able to do it, so I have to copy the certificate and
after
> > submit it. I have saved one certificate to file and I can download it
with
> > my PDA. I copy it in the browser and when I submit, I get the following
> > message:
> >
> > Microsoft VBScript runtime error '800a000d'
> >
> > Type mismatch: 'getTemplateStringInfo'
> > /certsrv/certlynx.asp, line 83
> >
> > Where is the problem? Is that the correct way?
> >
> > Thanks for any help
> >
> > gustavo
> >
> >
>
>
- Next message: Mike Hell: "Re: Viewsonic V37 + Sandisk SD Wifi Card"
- Previous message: Paul C: "Re: How to reset the DHCP server address"
- Maybe in reply to: Gustavo: "How to Install certificate?"
- Next in thread: Jacco de Leeuw: "Re: How to Install certificate?"
- Reply: Jacco de Leeuw: "Re: How to Install certificate?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
