I am trying to get a certificate installed on a Windows XP machine that is not on the domain to be used for an L2TP/IPSec VPN. I have an enterprise CA running on Server 2008 R1 and my domain connected computers are getting autoenrolled for Computer and IPSec certs and they can successfully connect to VPN using their autoenrolled certs. For the moment I am able to connect this non-domain member PC using a PPTP VPN where I then have access to the CA's web enrollment pages (The CA's web enrollment page is not directly accessable from the internet and currently can only be accessed internally) but I still can't seem to get a cert that works. I had installed an IPSec (offline request) cert but it doesn't work. I can't issue Computer or IPSec certs through the web page. I installed adminpak on the Windows XP client so I could use certreq but I can't seem to figure out how to formulate the .inf file to use with certreq. Per this thread: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/29f00a04-3412-42f1-b364-c89e4a1b5794/ I tried using an .inf file that looks like this: [Version] Signature= "$Windows NT$" [NewRequest] RequestType = PKCS10 ProviderName = "Microsoft Software Key Storage Provider" Subject = "CN=darktower" KeyLength = 1024 MachineKeySet = TRUE KeySpec = 2 KeyUsage = 0x80 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.8.2.2 ;IP Security IKE Intermediate OID = 1.3.6.1.5.5.7.3.2 ;Client Authentication But apparently something about it is formated for a newer version of the certreq utility because I get an error: C:\Documents and Settings\admin>certreq -new certreq.exe: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447) 1401.6158.0: 0x80090019 (-2146893799) 1401.6952.0: 0x80090019 (-2146893799) 1401.7080.0: 0x80090019 (-2146893799) Certificate Request Processor: The keyset is not defined. 0x80090019 (-2146893799) [RequestAttributes]

Your problem may be that the CNG algorithms implemented in "Microsoft Software Key Storage Provider" are not avaliable on XP. See here for more details: http://technet.microsoft.com/en-us/library/cc730763(WS.10).aspx

I do remember reading about that. But I used default templates for most of my certificates, the only exceptions being a modified template for the VPN server itself and the IPSec (offline) template which I also modified. So I don't know if that means the new CryptoAPI is not used on any of them or not. At any rate I did find the solution. There was a netscreen VPN client (for Juniper firewall) installed on the non-domain PC and that application was apparently blocking IPSec communication. I discovered this when I could not get one of the domain joined computers to work until I removed the netscreen app. So I went back and removed it from the non domain PC and suddenly the L2TP/IPSec VPN worked fine using the IPSec (offline) cert I had already generated and installed. Edit: Oh I think I understand you to be saying that the reason I am getting the error when I try and use that .inf file with certreq is the Cryptography Next Generation. So I tried it again and removed that line from the .inf file and it worked to generate a new request so you are correct. Thanks for that.