You could request it via Web Enrollment. You would first need to allow the
computer to issue certificates based on the ipsec offline template which you
can do in the CA Management Console/policy settings - new certificate to
issue. Then the user would need to logon as local administrator, use Web
Enrollment to do an advanced request for an ipsec offline certificate
entering the fully qualified domain name of the computer as the name [IE
computer1.mydomain.com] and checking for use local machine store. If you
have a concern with allowing internet access for CA, then you might do it
just temporally and configure your firewall or website properties to accept
connection from only the public IP address that the computer would request
the certificate from.
Otherwise you could do the same yourself using Web Enrollment via the lan
and request the certificate for the computer. You would also have to enter
the name for the computer AND select to mark the private keys as exportable.
Then the certificate/private key will install on the computer you requested
the certificate from. After that use the mmc certificates snapin for
computer, find the certificate in the personal folder, select all tasks and
then export, select the option to export the private key and on the next
page select include all certificate in certification path if possible but do
NOT select enable strong key protection. You will then have to choose a path
and name for the .pfx file and a password to protect it. You can then
send/email that file to the user and have them open it on their computer
which will prompt them for the password to protect the private key. It
should install the certificate/private key for them. I have noticed that it
may install to the wrong certificate store - user rather than computer.
Instruct the user to use the mmc certificates snapin for computer to see if
the certificate is there. If it is not have them select the
personal/certificates folder, all tasks/import and browse to the .pfx file
and install it that way. The link below explains Web Enrollment in more
details. Note that you may get warning messages from IE as you request and
install certificates via web pages, just select yes to the messages. ---
Steve
http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp