Specifications
Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 39 of 42
8 Appendix A—Microsoft Windows 2000 Certificate Services Setup
This appendix provides the procedure used to configure the Microsoft Windows 2000 Server certification authority
services in the Validation Lab. Please refer to Microsoft Windows 2000 Server documentation for further help.
Click Add/Remove Programs in the Control Panel and then choose the Add/Remove Windows Components option.
Install and configure Certificate Services on the server:
• Select Enterprise Root CA when prompted for the certification authority type.
• Provide the certification authority identifying information.
• Select the default settings for the remaining setup options and allow the Certificate Services installation to
complete.
• To set up certificate templates, begin by searching in Windows Help for “CA.” From the listed topics, select
“Certificate templates,” and then under that topic, select the link titled “Establish the certificate types that an
enterprise certification authority can issue.” Follow the instructions for establishing the certificate type that can
be issued, and when prompted select from the template list. Add all certificate templates in the list.
• Theinstructionsforautomatic certificate allocation canbefoundbysearching for “auto enrollment”inWindows
Help and selecting “Machine certificates for L2TP over IPSec VPN connections” from the list of displayed topics.
This topic has a link titled “To configure automatic certificate allocation from an enterprise CA” that provides
the necessary setup instructions. During the running of the Automatic Certificate Request Setup Wizard, select
Computer or Domain Controller when prompted for a certificate template for certificates to be issued. After the
setup wizard has completed the setup, create a computer certificate for the server by typing the following
command at the Windows 2000 Server command prompt:
secedit /refreshpolicy machine_policy
8 Appendix B—Demo Certificates
Sample certificates are provided in the .zip file located at
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/tcert.zip, to do
EAP-TLS testing (without having to set up the certification authority server infrastructure):
• Three client certificates:
– eaptls1.p12
– eaptls2.p12
– eaptls3.p12
• One server certificate for the AAA server (Windows-based) and one corresponding private key file
– server.cer (certificate)
– server.pvk (private key file). Password is “acsi”
• One certification authority certificate that issued the AAA server and the client certificates
– ca.cer (certificate)
To use the client certificate:
1. Create a user account on the Microsoft XP client (with user-id eaptls1, eaptls2, or eaptls3).
2. Copy the appropriate client certificate to the XP machine and click it to install (private key is inside and does not
require a password).
3. Follow instructions in Section 6.4 to complete the Microsoft XP client configuration.