Security: Setting up Certificate Authority Server with Win2003

I have been doing pre-shared key based site to site vpn, and decided to move forward to advance vpn technology using digital certificate. I am using Windows 2003 as the Certificate Authority to authenticate users. Pre-shared key is easy to setup and configured but it is not scalable, if you have more than 2 sites that need vpn then you may wish to consider CA as your choice of authentication.

This post records the steps I did to setup a CA.

Pre-requisite for CA using Windows 2003:

1. IIS server.

2. Certificate service.

3. Simple Certificate Enrollment Protocol (SCEP) software which can be downloaded from microsoft.

Control Panel > Add or Remove Programs > Add/Remove Windows Components. It is recommended to install IIS first from Application servers. If you have already installed IIS, you can move ahead to install Certificate Services.
Before you continue make sure your hostname is the name you desired, after CA is installed you may not change your server hostname.
Choose the default Standalone CA.
Choose a common name for this CA and also the validity of the CA; default is 5 years.
Click next and move on.


IIS service will be temporarily stopped.
Do ensure your Windows 2003 DVD/CD is loaded.
Certificate services installation in progress.


Certificate services installation finished.


Download SCEP from Microsoft.
Double click on the SCEP add-on and begin installation.
This is the EULA, click yes and move on.
Click next to move on.
Choose the default and click next.
Click next, it is recommended to checked the box for enhanced security.
Fill up the details and click next.
Click finish to complete the process.
http://cyruslab/certsrv/mscep/mscep.dll is the location where your ASA and router will get the certificate from. Remember it.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s