none
certificate for L2TP\IPSec RRS feed

  • Question

  • Hi, i'm trying to deploy L2TP\IPsec with Certificates authentication.

    If i request certificate from domain joined PC, and set "Computer" template - this PC can connect to VPN server.
    1) But is it right to use default template Computer?

    It try to create certificate for OS X. For that i use inf file with some attributes like:

    [Version]
    Signature="$Windows NT$"
    
    [NewRequest] 
    Subject = "CN=osxname.xxxxx.xxxx.xxxx"
    Exportable = FALSE; Private key is exportable
    KeyLength = 2048
    KeySpec = 1
    KeyUsage = 0xf0; Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment
    MachineKeySet = TRUE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    RequestType = PKCS10
    
    [EnhancedKeyUsageExtension] 
    OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
    OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
    OID=1.3.6.1.5.5.8.2.2 ; IP Security IKE intermediate
    
    [RequestAttributes]
    SAN  = "dns=osxname.xxxxxxx.xxxxxxx.com&"
    _continue_ = "dns=vpn1.xxxxxx.xxxxxxx.com&"
    CertificateTemplate = "Machine"

    but then i try to sign this cert i got error:

    2) how i can create right cert for OS X ?

    on CA snap-in i see that DNS name is unavailable. It is true, because "osxname" is external PC... or what does it mean?

    Thank you!






    • Edited by Anahaym Tuesday, August 11, 2015 2:08 PM
    Tuesday, August 11, 2015 1:55 PM

Answers

  • in case if someone needs to issue a cert for OS\Linux:

    Sudo su
    mkdir /VPN-Cert
    cd /VPN-Cert
    openssl req -nodes -newkey rsa:2048 -keyout vpn-client-key.pem -out vpn-client-req.csr
    cat vpn-client-req.csr
    
    #the output paste into the microsoft web enrollment https://<servername>/certsrv using L2TP IPsec Template.
    mv ~/Downloads/certnew.cer /VPN-Cert/user.cer
    
    #download root CA
    mv ~/Downloads/certnew.cer /VPN-Cert/certnew.cer
    
    openssl x509 -inform DER -in /VPN-Cert/certnew.cer -out /VPN-Cert/ca-root-crt.pem
    openssl x509 -inform DER -in /VPN-Cert/user.cer -out /VPN-Cert/vpn-client-crt.pem
    openssl pkcs12 -export -inkey /VPN-Cert/vpn-client-key.pem -in /VPN-Cert/vpn-client-crt.pem -out /VPN-Cert/vpn-client.p12 -certfile /VPN-Cert/ca-root-crt.pem
    
    #import the certificate in the keychain
    • Marked as answer by Anahaym Saturday, November 16, 2019 9:59 PM
    Saturday, November 16, 2019 9:59 PM

All replies

  • You need a separate certificate template configured so that the subject is provided in the request. The permissions are then set to allow a user to submit the request (read and enroll permissions).

    Your inf file is correct except you would change the name of the template from Machine to your custom template's CN (without spaces)

    Brian

    • Proposed as answer by Brian Komar [MVP] Tuesday, August 11, 2015 8:13 PM
    • Unproposed as answer by Anahaym Wednesday, August 12, 2015 8:54 AM
    Tuesday, August 11, 2015 8:13 PM
  • so, i changed template to "L2TPIPSec(Offlinerequest)" - it is copy of template IPSec (Offline request).

    Permissions are for computers: CLI02, VPN1, TOOLS (this PC i use for managment of servers).

    I logged on CLI02, that connected to domain via DirectAccess, and in snap-in of Certificates i can enroll new cert with L2TPIPSec(Offlinerequest) template:

    Now, i need to create new cert for computer, that isn't joined to Domain. How i can to do this?

    1) create request with INF file
    2) want to submit this request - but here i get error:

    Wednesday, August 12, 2015 8:54 AM
  • in template uncheck DNS name, and then i can submit:

    but - cert issused for me, not for OSXNAME$:

    Wednesday, August 12, 2015 9:38 AM
  • set "supply in the request", and now field "issued to" has correct name of PC. Hope it will be enough for OS X

    requester is still me )
    • Edited by Anahaym Wednesday, August 12, 2015 11:47 AM
    Wednesday, August 12, 2015 11:47 AM
  • issued certificate using INF file - not appropriate for the IPSec. because it has no private key. How i can create right cert using INF file?

    For OS X i schoud create cert with exportalble key...


    • Edited by Anahaym Thursday, August 13, 2015 1:38 PM
    Thursday, August 13, 2015 1:37 PM
  • forgot: certreq -accept

    now works, trying for OS X...

    Thursday, August 13, 2015 3:11 PM
  • in case if someone needs to issue a cert for OS\Linux:

    Sudo su
    mkdir /VPN-Cert
    cd /VPN-Cert
    openssl req -nodes -newkey rsa:2048 -keyout vpn-client-key.pem -out vpn-client-req.csr
    cat vpn-client-req.csr
    
    #the output paste into the microsoft web enrollment https://<servername>/certsrv using L2TP IPsec Template.
    mv ~/Downloads/certnew.cer /VPN-Cert/user.cer
    
    #download root CA
    mv ~/Downloads/certnew.cer /VPN-Cert/certnew.cer
    
    openssl x509 -inform DER -in /VPN-Cert/certnew.cer -out /VPN-Cert/ca-root-crt.pem
    openssl x509 -inform DER -in /VPN-Cert/user.cer -out /VPN-Cert/vpn-client-crt.pem
    openssl pkcs12 -export -inkey /VPN-Cert/vpn-client-key.pem -in /VPN-Cert/vpn-client-crt.pem -out /VPN-Cert/vpn-client.p12 -certfile /VPN-Cert/ca-root-crt.pem
    
    #import the certificate in the keychain
    • Marked as answer by Anahaym Saturday, November 16, 2019 9:59 PM
    Saturday, November 16, 2019 9:59 PM