We have a Cisco SSL VPN and we have a user who has a home PC - not a part of our domain, who needs to VPN in. Can anyone tell me how I can get a cert onto this PC? It won't ever be locally on our network and we don't have a public-facing web enrollment server. Thanks, Scott

Hi, Do you have an internal CA availabe in the environment? If not, I think you will have to request a certificate from a Public CA.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Yes. We have an internal CA. I've duplicated a template and configured it similar to the certs that domain PCs use for VPN. I created a cert request from the non-domain PC and submitted it to the CA using the new template. I then imported the new cert into the personal computer store on the non-domain PC. When I try to connect to the VPN, I get a "certificate validation failure" error. As far as I can tell, the cert looks fine. Any ideas what I'm doing wrong? Thanks, Scott

On the non-domain client, have you: 1) added the root CA certificate as a trusted root cert 2) Ensure that there are HTTP locations for the CDP and AIA extensions in all certificates in the chain Brian

Thanks for your response. I do have the CA cert in the trusted root store on the non-domain PC. However, I checked the certs and there isn't an http location for CDP or AIA. Since the non-domain PC will not have access to our network, I assume this has to be a publicly accessible http address? Is there a security risk with this? How do I go about setting that up? The other thing to mention is that our laptops with certs can access the VPN even though their certs don't have an http location for CDP or AIA. Thanks, Scott