none
Creating User Certificate using Standalone CA for Android Device? Windows Server 2008 R2?

    Question

  • Hi Everyone.

    I've got a Standalone CA using Windows Server 2008 R2 Enterprise.

    I also have a IKEv2 VPN and I can connect all my PCs to fine.

    However when I try to connect using my Samsung Galaxy S2 I always get prompted Select User Certificate.

    How do I create a User Certificate using a Standalone CA for 2008 so I can use it to connect to my VPN?

    Thanks

    Friday, February 17, 2012 3:18 PM

Answers

All replies

  • As far as I know, NDES ( http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx ) doesn't support Standalone CAs and only Enterprise CAs are supported. You may have to use 3rd party SCEP server.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by Bruce-Liu Tuesday, February 28, 2012 10:15 AM
    Friday, February 17, 2012 4:08 PM
  • hi, IKEv2 requires a user/computer client authentication certificate. It will be a certificate that contains Client Authentication purpose (OID 1.3.6.1.5.5.7.3.2) and optionally IKE Intermediate purpose (OID 1.3.6.1.5.5.8.2.2 in case of Microsoft IKEv2 gateway) or IKE Endpoint (OID 1.3.6.1.5.5.7.3.6 in case of Cisco VPN gateway). The certificate's Subject or Subject Alternative Name (SAN) extension may contain your client device name, but it is probably ignored by the VPN gateway, so I would not bother with the name initially.

    so you need to obtain something like Computer or IPSec certificate from the Standalone CA over web enrollment at url http://yourca/certsrv. Then export the issued certificate together with its private key into a .PFX file. This can be done on a Windows computer with Windows XP or Windows 7. The web enrollment pages will not work from your Samsung device, because the web enrollment requires an ActiveX component to be run in the client browser.

    You may also try starting with directly exporting the certificate from another Windows computer that you say "can connect" to the VPN already.

    Then you will have to import the exported .PFX certificate into the Samsung device by using some "Samsung's way".

    ondrej.

    Friday, February 17, 2012 6:03 PM