I have an issue that I think is the result of the contents of the Enhanced Key Usage field of Certificates issued from the MSCEP add on.
The scenario is I have some Cisco Routers & PIX Firewalls that I wish to enroll for Certificates. I have got this working and the Routers & PIX both have the relevent certificates installed (CA Certificate, RA Encryption & Signature Keys plus the Routers Public & Private Key pair - If I type show crypto ca certificates I can see them all listed, plus I can see on the Windows 2003 CA that the certificate has been issued)
Now all this bit works fine and I can use the Certificates for IPSec connections. The problem is the enrolled Certificate overwrites the self-signed certificate the Router or PIX originally created that allows me to manage them via HTTPS (SSL). If I connect via IE it begins to connect and then stops after the Public Key is exchanged. I believe it is because the Enhanced Key Usage field on the enrolled key only lists 'IP security IKE intermediate (1.3.6.1.5.5.8.2.2)'. I think it also need 'Server Authentication (1.3.6.1.5.5.7.3.1)' to allow IE (or Netscape, firefox etc) to accept the Public Key.
The Certificate Template 'IPSec (offline request)' cannot be modified since it is a W2K template but a duplicate won't work with the MSCEP add on - are there any ways around this?
Andy
The scenario is I have some Cisco Routers & PIX Firewalls that I wish to enroll for Certificates. I have got this working and the Routers & PIX both have the relevent certificates installed (CA Certificate, RA Encryption & Signature Keys plus the Routers Public & Private Key pair - If I type show crypto ca certificates I can see them all listed, plus I can see on the Windows 2003 CA that the certificate has been issued)
Now all this bit works fine and I can use the Certificates for IPSec connections. The problem is the enrolled Certificate overwrites the self-signed certificate the Router or PIX originally created that allows me to manage them via HTTPS (SSL). If I connect via IE it begins to connect and then stops after the Public Key is exchanged. I believe it is because the Enhanced Key Usage field on the enrolled key only lists 'IP security IKE intermediate (1.3.6.1.5.5.8.2.2)'. I think it also need 'Server Authentication (1.3.6.1.5.5.7.3.1)' to allow IE (or Netscape, firefox etc) to accept the Public Key.
The Certificate Template 'IPSec (offline request)' cannot be modified since it is a W2K template but a duplicate won't work with the MSCEP add on - are there any ways around this?
Andy
