Business partner demand-dial connection

To use certificates for a two-way initiated, mutually authenticated, demand-dial configuration between two business partners (in this example, Company A and Company B), you must perform the following:

• Configure the calling and answering routers for demand-dial routing.
• Install computer certificates on the calling router and answering router computers.
• Configure the domain for Web-based certificate enrollment.
• At Company A, create a user account for the Company B router and export a certificate for the user account.
• At Company B, create a user account for the Company A router and export a certificate for the user account.
• At Company A, import the certificate from Company B.
• Configure the Company A router to support certificate-based authentication as a calling router and as an answering router.
• At Company B, import the certificate from Company A.
• Configure the Company B router to support certificate-based authentication as a calling router and as an answering router.

Configuring the calling and answering routers for demand-dial routing

Configure the Windows 2000 calling and answering routers as described in Deploying demand-dial routing for dial-in demand-dial routing or Deploying router-to-router VPNs for VPN demand-dial routing.

Installing computer certificates on the calling router and answering router computers

In order to configure EAP-TLS on the answering router computer, you must install a computer certificate (also known as a machine certificate). In order to install a computer certificate, a certificate authority must be present to issue certificates. Once the certificate authority is configured, you can install a certificate two different ways:

• By configuring the automatic allocation of computer certificates to computers in a Windows 2000 domain.
• By using Certificate Manager to obtain a computer certificate.

Based on the certificate policies in your organization, you only need to perform one of these two allocations.

To configure a certificate authority and install the computer certificate, perform the following steps:

1. Install the Windows 2000 Certificate Services component as an enterprise root certificate authority (CA). This step is only necessary if you do not already have an enterprise root CA.
1. If necessary, promote the computer that will be a CA to a domain controller (DC). For more information, see To install a domain controller
2. Install the Windows 2000 Certificate Services component as an enterprise root CA. For more information, see To install an enterprise root certification authority
2. Configure the CA to issue router (offline request) certificates. For more information, see To establish the certificate types that an enterprise certification authority can issue
3. To auto-enroll machine certificates, configure the Windows 2000 domain. For more information, see To configure automatic certificate allocation from an enterprise CA

To create a computer certificate for the calling or answering router that is a member of the domain for which auto-enrollment is configured (as well as other computers that are members of the domain), restart the computer or type secedit /refreshpolicy machine_policy from a Windows 2000 command prompt.

4. To manually enroll machine certificates, use Certificate Manager to install the CA root certificate. For more information, see To manage certificates for a computer and To request a certificate

Configuring the domain for Web-based certificate enrollment

In order for the CA to issue certificates for the calling router, you must configure the Windows 2000 domain for Web-based enrollment. For more information, see To set up certification authority Web enrollment support

Creating a user account and exporting its certificate for the Company B router

To create a dial-in user account for the Company B router and export the user certificate of the user account, do the following:

1. Log on as a domain administrator.
2. Create a user account that the Company B router will use when it dials the Company A router. For more information, see To add a user account
3. Obtain a router (offline request) certificate from the certificate authority through Web-based enrollment. For more information, see To install a router (offline request) certificate
4. Export the router (offline request) certificate to a .cer file. For more information, see To export a certificate Within the Certificate Manager Export wizard, do not export the private key.
5. Map the newly created router (offline request) certificate (the .cer file) to the user account that was created for the Company B router. For more information, see To map a certificate to a user account
6. Export the router (offline request) certificate to a .pfx file. For more information, see To export a certificate Within the Certificate Manager Export wizard, export the private key, select the Delete the private key if the import is successful check box, and click Include all certificates in the certification path if possible. Save this file to a floppy disk to send to the network administrator at Company B.
7. Send the floppy disk that contains the Company B dial-in account user certificate file to the network administrator at Company B.

Creating a user account and exporting its certificate for the Company A router

To create a dial-in user account for the Company A router and export the user certificate of the user account, do the following:

1. Log on as a domain administrator.
2. Create a user account that the Company A router will use when it dials the Company B router. For more information, see To add a user account
3. Obtain a router (offline request) certificate from the certificate authority through Web-based enrollment. For more information, see To install a router (offline request) certificate
4. Export the router (offline request) certificate to a .cer file. For more information, see To export a certificate Within the Certificate Manager Export wizard, do not export the private key.
5. Map the newly created router (offline request) certificate (the .cer file) to the user account created for the Company A router. For more information, see To map a certificate to a user account
6. Export the router (offline request) certificate to a .pfx file. For more information, see To export a certificate Within the Certificate Manager Export wizard, export the private key, select the Delete the private key if the import is successful check box, and click Include all certificates in the certification path if possible. Save this file to a floppy disk to send to the network administrator at Company A.
7. Send the floppy disk that contains the Company A dial-in account user certificate file to the network administrator at Company A.

Importing the certificates from Company B

Upon receipt at Company A of the floppy disk that contains the certificate file from Company B, on the Company A router, import the user certificate. For more information, see To import a certificate

Configuring the Company A router to support certificate-based authentication

To configure the Company A router for certificate-based authentication as an answering router, see To configure the answering router for certificate-based EAP

To configure the Company A router for certificate-based authentication as a calling router, see To configure the calling router for certificate-based EAP

Importing the certificates from Company A

Upon receipt at Company B of the floppy disk that contains the certificate files from Company A, on the Company B router, import the user certificate. For more information, see To import a certificate

Configuring the Company B router to support certificate-based authentication

To configure the Company B router for certificate-based authentication as an answering router, see To configure the answering router for certificate-based EAP

To configure the Company B router for certificate-based authentication as a calling router, see To configure the calling router for certificate-based EAP