Computer certificates for L2TP/IPSec VPN connections

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Computer certificates for L2TP/IPSec VPN connections

The Windows Server 2003 family supports two authentication methods for Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPSec)-based VPN connections: computer certificates, also known as machine certificates, and preshared keys.

In order to create an L2TP/IPSec connection using the computer certificate authentication method, you must install a certificate in the local computer certificate store on the VPN client and VPN server computer. To install a computer certificate, a certification authority must be present to issue certificates. Once the certification authority is configured, you can install a certificate in three different ways:

  • By configuring the automatic enrollment, or auto-enrollment, of computer certificates to computers in a Windows Server 2003 domain.

  • By using the Certificates snap-in to obtain a computer certificate.

  • By using your browser to connect to the CA Web enrollment pages to install a certificate on the local computer or to a floppy disk for installation on another computer, such as a user's home computer.

Based on the certificate policies in your organization, you need to perform only one of these allocations.

Non-domain member computers cannot obtain certificates through auto-enrollment. For more information, see Network access authentication and certificates.

To configure a CA and install the computer certificate, perform the following steps:

  1. If you do not already have an enterprise root CA:

    1. Promote the computer that will be a CA to a domain controller (DC), if necessary.

    2. Install the Certificate Services component as an enterprise root CA on a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition. For more information, see Install an enterprise root certification authority.

  2. To auto-enroll computer certificates, configure Windows Server 2003 domain. For more information, see Configure automatic certificate allocation from an enterprise CA.

    To create a computer certificate for the VPN server that is a member of the domain for which auto-enrollment is configured (as well as other computers that are members of the domain), restart the computer or type gpupdate /target:computer from a Windows Server 2003 command prompt.

  3. To manually enroll computer certificates, use the Certificates snap-in to install the CA root certificate. For more information, see Use Windows Server 2003 Certificate Services Web Pages, Manage certificates for a computer and Request a certificate.


  • On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling Protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling Protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.