When I try to setup IPSec-secured communication between a Vista PC and a WS08 domain controller using computer certificate authentication, no SA's are created, and the communication is blocked.
However, if I rename the file that contains the key of the Certificate Authority's signing certificate, SA's are created and IPSec-secured communication is established.
The domain controller has (3) certificates: the CA's signing certificate; a domain controller certificate (autoenrolled), and an IPSECIntermediateOnline certificate (manually enrolled). In the process of establishing a Security Association (SA), the key of each certificate is read from the file that contains it, The CA's signing certificate key is unsuccessfully decrypted, failing with a return code of 0x80090010 (access denied). The other certificate key files are read and their keys opened without error, but no SA's are created.
However, when the file containing the CA's signing certificate key is renamed, SA's are created! The file containing the CA's signing certificate key is the first one searched for; it is not found, failing with a return code of 0x80090011 (object not found). The other certificate key files are read and their keys opened without error. SA's are created. Can anyone explain why this happens, and how to correct it?