Re: Register a windows client on IOS CA from Sadiq Yakasai on 2009-08-12 (Ccielab archives 08/2009)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Wed, 12 Aug 2009 10:32:24 +0100

Good dialogue chaps!

Thanks!

On Wed, Aug 12, 2009 at 2:21 AM, Tyson Scott <tscott_at_ipexpert.com> wrote:

> Dale,
>
> For the VPN Client it is easiest to use it to make the request. The
> information I am giving below would be for TLS-EAP for NAC.
>
> It would be good to know multiple ways to do the certificate request as the
> need for certificates on ACS and XP are the two things I am not sure how
> they will ask it to be done on the lab if it is included.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
> Cell: +1.248.504.7309
> Fax: +1.810.454.0130
> Mailto: tscott_at_ipexpert.com
>
>
> -----Original Message-----
> From: Dale Shaw [mailto:dale.shaw_at_gmail.com]
> Sent: Tuesday, August 11, 2009 8:44 PM
> To: Tyson Scott
> Cc: Sadiq Yakasai; Cisco certification; Cisco certification
> Subject: Re: Register a windows client on IOS CA
>
> Hi Tyson,
>
> On Wed, Aug 12, 2009 at 10:07 AM, Tyson Scott<tscott_at_ipexpert.com> wrote:
> >
> > Install IIS on Windows XP. After doing so go to your default website and
> > right click go to properties. Click on the Directory Security Tab.
> Click
> > on Server Certificate. This will open the "IIS Certificate Wizard".
> This
> > wizard can be used to generate a certificate signing request. Open the
> > request file with Notepad. Paste the information to IOS CA. Copy the
> > completed certificate from IOS CA back to windows XP. Install the
> > certificate. You have now successfully generated a Certificate for
> windows
> > XP using IIS.
>
> Ah, I now see what the reference to IIS was about. You're right, of course.
>
> This method allows you to create a certificate request with fixed
> attributes/properties -- key usage attributes suitable for a web
> server. Does this method allow you to generate certificates for use
> with the VPN Client, for example? I remember it (the client) being
> fairly fussy.
>
> If you're going to go to the trouble of installing extra software just
> to generate a certificate request, instead of installing IIS, you're
> better off installing the Administration Tools pack (adminpak.msi)
> from Windows Server 2003. As part of that install, you'll get
> CertUtil.exe, which allows you to do a lot more, including generation
> of certificate requests with whatever key usage attributes you like.
>
> Chances are, most network administrator types would have the adminpak
> installed already.
>
> cheers,
> Dale
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Wed Aug 12 2009 - 10:32:24 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:56 ART