RE: Register a windows client on IOS CA

Dale,

For the VPN Client it is easiest to use it to make the request. The
information I am giving below would be for TLS-EAP for NAC.

It would be good to know multiple ways to do the certificate request as the
need for certificates on ACS and XP are the two things I am not sure how
they will ask it to be done on the lab if it is included.

Regards,
 
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: tscott_at_ipexpert.com
 

-----Original Message-----
From: Dale Shaw [mailto:dale.shaw_at_gmail.com]
Sent: Tuesday, August 11, 2009 8:44 PM
To: Tyson Scott
Cc: Sadiq Yakasai; Cisco certification; Cisco certification
Subject: Re: Register a windows client on IOS CA

Hi Tyson,

On Wed, Aug 12, 2009 at 10:07 AM, Tyson Scott<tscott_at_ipexpert.com> wrote:
>
> Install IIS on Windows XP. After doing so go to your default website and
> right click go to properties. Click on the Directory Security Tab. Click
> on Server Certificate. This will open the "IIS Certificate Wizard". This
> wizard can be used to generate a certificate signing request. Open the
> request file with Notepad. Paste the information to IOS CA. Copy the
> completed certificate from IOS CA back to windows XP. Install the
> certificate. You have now successfully generated a Certificate for
windows
> XP using IIS.

Ah, I now see what the reference to IIS was about. You're right, of course.

This method allows you to create a certificate request with fixed
attributes/properties -- key usage attributes suitable for a web
server. Does this method allow you to generate certificates for use
with the VPN Client, for example? I remember it (the client) being
fairly fussy.

If you're going to go to the trouble of installing extra software just
to generate a certificate request, instead of installing IIS, you're
better off installing the Administration Tools pack (adminpak.msi)
from Windows Server 2003. As part of that install, you'll get
CertUtil.exe, which allows you to do a lot more, including generation
of certificate requests with whatever key usage attributes you like.

Chances are, most network administrator types would have the adminpak
installed already.

cheers,
Dale

Blogs and organic groups at http://www.ccie.net
Received on Tue Aug 11 2009 - 21:21:58 ART