Generation of computer certificates with a Winbugs CA

Generation of computer certificates with a Winbugs CA

If you want to deploy EAP-TLS in your network and require end-device certificates installed on your computers, this guide might be of help. In this guide we are going to generate computer certificates and configure the computer to perform EAP-TLS by using this certificate. Important: we won't be validating the users, only the device, so it means that any user can use the computer as long as the certificate is valid.

To generate the certificates, we will use a web server running Windows Server 2003 with the service of certification authority (CA) installed.

Open your favorite web browser and type in http://your_server/certsrv/, where your_server is the DNS name or IP address of your web server.

"Request a certificate", ask for an "advanced certificate request" and "Create and submit a certificate request to this CA".

In the Name field, type in the name of the computer for which you are requesting this certificate.

In Type of certificate needed, select "Client Authentiation Certificate"

Create a new key set and as Key Usage select "both".

Select the Mark Keys as exportable check box. Doing this saves the public and private key to a PKCS #12 file. This is useful if you want to copy a certificate for use on another computer.

Select the Store certificate in the local computer certificate store check box. This last option is actually important because it will save the certificate in the computer store, instead of the user store, which allows for TLS authentication to work.

Then you just need to wait for your CA to issue the certificate for you. Once you have your certificate, install it. By default it should be stored in the computer store.

Now, to allow EAP-TLS to work using this certificate as a computer certificate for all users, you need to modify the registry of the computer where you installed the certificate on. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global and add a new DWORD-value called AuthMode with the value of 2. Note that for this you need to have Administrator privileges on the computer.

Now you need to restart either your computer or the Wireless Zero Configuration service and you are done. This will perform the magic needed to send the computer certificate to authenticate this computer regardless of what user is actually using it.