Storing a Windows CA Certificate

Windows clients using EAP-based authentication methods (e.g. EAP-TLS or EAP-MSCHAPv2) require a Root CA certificate in the Local Machine store in order to be able to put trust into the received server certificate and thus be able to verify the digital signature sent by the VPN gateway in the AUTH payload of the IKE_AUTH response.

  1. Double-click on the CA certificate file to be imported and the Certificate Information pops up.

    CA certificate

    Click on Install Certificate.

  2. The Certificate Import Wizard pops up.

    Local Machine

    Since we need to import the CA certificate to be used for IKEv2 authentication under the HKEY_LOCAL_MACHINE branch of the Windows registry, select Local Machine as Store Location. Then click Next.

  3. After giving permission for the operation, the Certificate Store menu pops up.

    Browse Certificate Store

    Choose Place all certificates in the following store. Then click Browse.

  4. The Select Certificate Store menu pops up

    Select Certificate Store

    Select Trusted Root Certification Authorities and click OK.

  5. We return to the Certificate Store menu with the selected Trusted Root Certification Authorities filled in.

    Selected Certificate Store

    Click Next.

  6. The Completing the Certificate Import Wizard menu pops up.

    Complete Certificate Import

    To complete the certificate import, click Finish.

  7. A small popup window acknowledges the successful certificate import.

    Import Successful

    Click OK on both the Successful and Certificate Information windows to close them.