Friday, February 17, 2012 3:18 PM
I've got a Standalone CA using Windows Server 2008 R2 Enterprise.
I also have a IKEv2 VPN and I can connect all my PCs to fine.
However when I try to connect using my Samsung Galaxy S2 I always get prompted Select User Certificate.
How do I create a User Certificate using a Standalone CA for 2008 so I can use it to connect to my VPN?
Friday, February 17, 2012 4:08 PM
As far as I know, NDES ( http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx ) doesn't support Standalone CAs and only Enterprise CAs are supported. You may have to use 3rd party SCEP server.
- Marked As Answer by Bruce-LiuModerator Tuesday, February 28, 2012 10:15 AM
Friday, February 17, 2012 6:03 PM
hi, IKEv2 requires a user/computer client authentication certificate. It will be a certificate that contains Client Authentication purpose (OID 184.108.40.206.220.127.116.11.2) and optionally IKE Intermediate purpose (OID 18.104.22.168.22.214.171.124.2 in case of Microsoft IKEv2 gateway) or IKE Endpoint (OID 126.96.36.199.188.8.131.52.6 in case of Cisco VPN gateway). The certificate's Subject or Subject Alternative Name (SAN) extension may contain your client device name, but it is probably ignored by the VPN gateway, so I would not bother with the name initially.
so you need to obtain something like Computer or IPSec certificate from the Standalone CA over web enrollment at url http://yourca/certsrv. Then export the issued certificate together with its private key into a .PFX file. This can be done on a Windows computer with Windows XP or Windows 7. The web enrollment pages will not work from your Samsung device, because the web enrollment requires an ActiveX component to be run in the client browser.
You may also try starting with directly exporting the certificate from another Windows computer that you say "can connect" to the VPN already.
Then you will have to import the exported .PFX certificate into the Samsung device by using some "Samsung's way".