Using Certificates with IPSEC

[Guest]

How do you implement IPSEC using Certificates? Right now I have it set up
with Kerberos. Does the Client/Server have to have each others Certificate,
etc?

 

[Brian Komar]

How do you implement IPSEC using Certificates? Right now I have it set up
with Kerberos. Does the Client/Server have to have each others Certificate,
etc?

Both endpoints (computers) must have a certificate that chains to the
same root CA, or to CAs that are trusted by the opposite endpoint.

Brian

 

[Guest]

What is the process of trusting other computers for IPSEC using Certificates?

 

[Brian Komar]

What is the process of trusting other computers for IPSEC using Certificates?

1) You have to deploy the certificates to the two endpoint computers
2) Change the authentication method for the IP Security Rule to
certificates, rather than Kerberos or pre-shared keys. When you
designate the certificate on the AUthentication Methods tab, you then
designate the root CA certificate that must be used.

Correcting myself, you must use the same root CA on both ends. The CA
can be different CAs that chain to the same root CA.

Brian

 

[Louise Bowman [MSFT]]

One more thing:
Make sure the certs are machine certs and not user certs.