A year ago, have got from Microsoft a workaround for installing certificates on Vista from a foreign domain CA for establishing VPN IPSec connections. We could prepare a certificate and install this certificate on a Vista machine with the command "CERTREQ.EXE -accept certificate.cer"Have found that Windows 7 requires the additional parameter -machine or -user for certreq.exe. But even then, Windows 7 does not allow to install the certificate: We get an error message "0x800b010a - A certificate chain could not be built to a trusted root authority -2146762486", and the certificate import does not occur.This message is correct. But in Vista, we could import the certificate with the private key that way, then export the certificate with all path information to a p7b file, then import the root certificate in the "trusted root certificate authorities folder", and then establish the VPN IPSec connection.Any advice how we can import certificate.cer with the private key in Windows 7? Thank you in advance for any help.Franz

Have you tried double clicking the .Cer file and clicking on install, and following the wizard from there ????

- The private key that is required for IPSec communication is not imported when double clicking the certificate and importing it from the wizard.- Double clicking the .Cer file does install the certificate in the user certificate store. Certificates for IPSec communication have to be in the machine certificate store.Thank you all in advance for any more help!Franz

Follow the following guide on how to install a certificate in the root, its for vista but will work for windows 7 too http://www.thebitguru.com/articles/13-Importing%2520a%2520Trusted%2520Root%2520Certification%2520Authority%2520in%2520Windows%2520Vista/188-Installing%2520the%2520Certificate

Thank you for your help! I was able to import the required root certificate.However, importing the certificate for IPSec communication with it's private key still doesn't work. When running "CERTREQ.EXE -accept -machine certificate.cer", I'm geting the error "Cannot find object or property. 0x80092004 (-2146885628)"Thank you in advance for any mor help.Franz

Why don't you use the Certificates Console to import the IPSec Certificate too.. 1. Type Certmgr.msc in the search box or in the run window. 2. Expand the Personal store and right click on the Certificate folder below the Personal folder. 3. Point to ALL Task and then click Import . 4. Click Next , and follow the instructions. Let us know how it goes....

- The GUI method does NOT import the private key that is required for IPSec communication.- The GUI method that you describe does import the certificate in the user certificate store, but an IPSec certificate has to be in the machine certificate store. (Although this can be done by running mmc.exe, add/remove SnapIn, chooce certificates, then choose computer instead of the user certificate store.)Regards,Franz

Hi, Thank you for your posts. Based on my research, I would like to suggest the following: 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. 3. Under Available snap-ins, click Certificates, and then click Add. 4. Under This snap-in will always manage certificates for, click Computer account, and then click Next. 5. Click Local computer, and click Finish. 6. If you have no more snap-ins to add to the console, click OK. 7. In the console tree, double-click Certificates. 8. Right-click the Trusted Root Certification Authorities store. 9. Click Import to import the certificates and follow the steps in the Certificate Import Wizard. Hope this helps. Thanks.Nicholas Li - MSFT

Hi,Like I wrote in my posts before: The GUI method does NOT import the private key of the certificate. The GUI import works, but the certificate is imported without private key. A certificate with a private key is visible in the MMC with another icon, containing a "key" symbol.Franz

Just created a test environment and i'm able to import a certificate with the private key in my machine. The VPN certificate was generated on a foreign Domains CA and as i said in my previous post, i double clicked on the certificate file and clicked install and followed the wizard from there.... Are you sure the certificate is good...

We created the certificate as described below. We obtained the description from Microsoft PSS and were able to install on the vista clients the certificate that the file "certificate.cer" contains with certreq.exe, and the certificate was installed with the private key in Vista. So we know, that the certificate in certificate.cer is correct and contains a private key.When importing the certificate from "certificate.cer" with the GUI in Vista as well with Windows 7, the private key is not imported. The problem we have is that it's not possible with Windows 7 to import a certificate with CERTREQ.EXE.Franz --------------------Problem Summary: ------------------------ ------------------------------------------------------------------------------------------------------------------ Cannot establish VPN (Certificate based) Connection from a external Vista client after installing hotfix 922706 on a server. Action: ------------------------------------------------------------------------------------------------------------------------------------------ Request, submit an install a certificate with certutil and certreq tools: 1.1 Copy Client folder on the client. Copy the Server folder on the Server. 1.2 Server: Start > run > cmd > certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc 1.3 Client: Start _CreateRequest.bat > OK. Copy request.req file from Client folder to the Server folder Server: Start _SubmitRequest.bat file > OK. Copy certificate.cer an certificate.p7b files from the Server folder to the Client folder. Client: Start_AcceptRequest.bat file. 1.4 Client: Export with private key the certificate from User Certificates. Import the certificate in Computer Certificates Client folder contains: ======================= _AcceptRequest.bat ------------------------------- CERTREQ -accept certificate.cer ------------------------------- _CreateRequest.bat ------------------------------------ certreq -new policy.inf request.req ------------------------------------ policy.inf ------------------------------------------------------------------ [Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=" KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = FALSE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = TRUE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = CMC KeyUsage = 0xa0 [RequestAttributes] CertificateTemplate = IPSECIntermediateOffline ------------------------------------------------------------------ Client folder contains: ======================= _SubmitRequest.bat ---------------------------------------------------------------------------------------------------------------------------------------------------- rem rem set issue_for_this_computer=cl1-2003 rem rem CERTREQ -submit -attrib "CertificateTemplate:IPSECIntermediateOffline\nSAN:DNS=%issue_for_this_computer%" request.req certificate.cer certificate.p7b ---------------------------------------------------------------------------------------------------------------------------------------------------- certadm.dll certcli.dll certreq.exe certutil.exe Solution: ------------------------------------------------------------------------------------------------------------------------------------------ Vista Client can establish VPN connection #####################################################################################