I have not consistently been able to get IPsec-secured connections between a WS08 computer and a non-domain Vista computer to work when the authentication method is Computer Certificate. I would appreciate any suggestions on how get it to work consistently.The CA is Stand-alone, and is running on the WS08 computer, which is also a domain controller and Terminal Server. The Vista computer is not a member of the domain.When a IPsec-secured and encrypted RDP connection is initiated from Vista, the security logs on both WS08 and Vista show Event 4653 (IKE authentication credentials are unacceptable), with Vista being the failure point noted in both logs. The CAPI2/Operational log on Vista shows no errors.I obtained the Vista certificate from the CA as follows (all operations performed on Vista):1. Create a request by running certreq -new, using the following inf file[NewRequest]Subject = "CN=Vista"Key length = 2048MachineKeySet = TRUESilent = TRUEExportable = TRUEKeySpec = 12. Using Firefox, open the http://WS08.mydomain.com/certsrv web page, paste the request text into the Saved Request field, and click Submit.3. Download the certificate (Base 64 encoded), creating a certnew.cer file.4. Using MMC, import the certificate from the certnew.cer file into Certificates (Local Computer) | Personal | Certificates, choosing "Automatically select the certificate store based on the type of certificate".Update 2007-11-08I solved this by changing the inf file as shown below. This works consistently, and can be done from a command prompt using certreq or from a browser using the certsrv web pages/For the WS08 server, both the IP Security IKE Intermediate and the Client Authentication Enhanced Key Usages (EKU's) are required. The former was expected; the latter was not.For the Vista client only the IP Security IKE Intermediate EKU is required, and the Subject is "CN=Vista" (as opposed to "CN=Vista.mydomain.com), since the client is a non-domain computer. Smaller KeyLength than 4096 works.The inf file:[Version]Signature= "$Windows NT$"[NewRequest]RequestType = PKCS10ProviderName = "Microsoft Software Key Storage Provider"Subject = "CN=computer.mydomain.com"KeyLength = 4096MachineKeySet = TRUEKeySpec = 2KeyUsage = 0x80[EnhancedKeyUsageExtension]OID = 1.3.6.1.5.5.8.2.2 ;IP Security IKE IntermediateOID = 1.3.6.1.5.5.7.3.2 ;Client Authentication

Thanx for the solution, fellow According this article - http://support.microsoft.com/kb/922706, you are CAN NOT use web enrollment to request and store certificate in the local machine store: Computer certificate enrollmentAdministrative rights are required to request a computer certificate. In Windows Vista, Microsoft Internet Explorer does not use administrative rights to run. Therefore, the option to store a computer certificate in the computer store was removed from the Windows Server "Longhorn" certificate enrollment pages. If your Vista PC is not a domain member, the only way torequest IPSec machine certificate- is using certreq.exe