Off-line certificate enrolment on Windows 2000/XP

Last update: Feb 12, 2006



1.1 Introduction

There are several procedures that you can use to obtain a certificate on Windows 2000 and Windows XP clients. A number of procedures have been discussed on my webpage "Using a Linux L2TP/IPsec VPN server with Windows 2000/XP".

The following procedure was forwarded to me by Brian Candler. It is based on a procedure published by Microsoft. This procedure was intended to be used for Windows 2000/2003 Servers where the CA is off-line (not connected to a network for security reasons) and running Microsoft Windows Certificate Services.

However, Brian's procedure described below is for Windows 2000/XP clients. Also, the CA is based on some other (Open Source) CA software such as OpenSSL or TinyCA so you don't have to buy a licence for a Windows Server with Certificate Services.

One advantage of this procedure is that you don't have to distribute certificates and private keys in PKCS#12 files, whose security are under discussion. The private key is generated by the client itself and should never leave that client.

Back to top



2. The procedure

2.1 Procedure overview

2.2 Procedure details
2.3 Procedure tips

Here are some useful admin commands:

certutil -store my               # show all certificates to stdout
certutil -viewstore my           # show all certificates in GUI window
certutil -viewdelstore my        # delete certificate using GUI window
certutil -delstore my <certid>   # delete certificate matching <certid>


For <certid> you can use the certificate subject Common Name, the certificate serial number, a public key hash, or the numeric certificate index as shown by 'certutil -store my'. More information can be obtained using:

certreq -v -? | more
certutil -v -? | more
certutil -store -? | more

2.4 Acknowledgements

This procedure was forwarded to me by Brian Candler. Note: read the Adminpak's EULA carefully. It is not clear to me if you are allowed to copy files from an installed Adminpak to another Windows box. This is your own responsibility.

Jacco de Leeuw