Managing Digital Certificates

About Digital Certificates

In the MSL server, an IPsec digital certificate is created for each user account after

  • the user account is in the "locked" state, and then the password is set, causing the account to be unlocked.

  • you choose the Reset digital certificates option in the Remote Access panel (see below). If the user's password is already set and VPN client access is enabled, but a certificate does not exist for the user, go to the user-modify panel and click Save to create a new certificate.

Once the certificate is created, the Download button appears on the user modify page, allowing you to download the certificate to a client.

CAUTION:
Watch out for time skew! Ensure that the windows clients and the MSL server have the correct date and time set before starting. Certificates have a start and an end date, and they are only valid between those two dates. The start date is set to the date and time that the certificate was created on the MSL server, so if the clock on the windows client is 12 hours behind, the certificate will not be valid on the client machine for 12 hours after it is created. If you have make a significant change to the date and time on the MSL server you may need to click Reset digital certificates on the Remote Access panel and re-create certificates for all users (following the instructions above).

Importing Digital Certificates

To import certificates on Windows 2000/XP systems:

  1. If you have an export version of Windows 2000 Professional, install the High Encryption Pack or SP2+ from Microsoft's Web site.

  2. Log in to the windows machine as "Administrator".

  3. Access the Server Manager on the MSL server from the machine that you are setting up as the IPsec client. You may need to temporarily allow remote administration access for the client machine's IP address from the Remote Access panel on the MSL server.

  4. From the Users panel, select the user account that will be connecting to the server via the IPsec connection, and then click Modify. If there is a Download button for downloading the certificate, click the button. If there is no Download button, the user does not yet have a certificate (see About Digital Certificates above).

  5. Save the certificate file to a safe place that is not shared on the network, and not accessible to other users on the machine that don't have "administration" privileges.

  6. Click Start and then Run.

  7. Enter "mmc" and then click OK. This will start the Microsoft Management Console.

    • Win2000 only: From the menu, select Console and then Add/Remove Snap-in.

    • WinXP only: From the menu, select File and then Add/Remove Snap-in.

  8. Click Add.

  9. Select the Certificates snap-in. Click Add.

  10. Select Computer account. Click Next.

  11. Select Local computer. Click Finish.

  12. In the Add Standalone Snap-in window, click Close.

  13. In the Add/Remove Snap-in window, click OK.

  14. The Certificates snap-in has now been added.

  15. Expand the Certificates tree by clicking on the plus (+) sign. Right-click on the Personal folder, select All tasks and then Import. The Certificate Import Wizard starts.

  16. Click Next.

  17. The "File to import" box appears. Click Browse.

  18. Change Files of type to Personal Information Exchange (*.pfx, *.p12).

  19. Select the certificate file that you downloaded from the Administrator Portal earlier. Click Open.

  20. In the File to Import dialog. Click Next. There is no password protecting the certificate file.

  21. Click Next.

  22. Select Automatically select the certificate store. Click Next.

  23. Complete the Certificate Import Wizard by clicking Finish.

  24. Right-click on the Certificates tree node and select Refresh to reveal the certificate you just imported.

  25. The imported certificate should now appear in the Personal/Certificates/ sub-folder of the Certificates tree. Click on this sub-folder, and double-click on the certificate. In the certificate information window, select the Certification path tab, and check the Certificate Status.

  26. If the status reports This certificate is OK, then continue to the next step.

  27. If there is a problem with the certificate, you may need to start over. Right-click on the certificate and choose Delete, and then click Yes. Repeat the procedure from Step 4.

  28. Click OK in the certificate information window to close it.

    • Win2000 only: From the menu, select Console and then Save.

    • WinXP only: From the menu, select File and then Save.

  29. Keep the default folder, but change the File name field to certificates. Click Save.

  30. You have successfully imported the certificate. Close the MMC window.

Deleting Digital Certificates

The IPSEC digital certificate for a user is removed when the following occurs:

  • The user account is locked.

  • The user account is deleted.

  • VPN Client Access is switched off from the user modify panel.

To manually delete client certificates, go to the Remote Access panel and check the box labeled Reset digital certificates. Click Save.