Announcement

Collapse
No announcement yet.

Certification Authority

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certification Authority

    Hello All,

    I have installed Enterprise Root CA in our environment. CA is installed on Windows 2008 R2 Enterprise edition. There are not any other sub CA. I need to assign certificate to users on flash disks. So I have configured:

    1) AD group "ENROLLMENT_AGENTS" there are two persons.
    2) dulicate template enrollment agent (windows 2003 template, set up security for group above) and publish.
    3) duplicate user certificate. (windows 2003 template, set up security for group above) and publish.

    4) Issue to that users their users and enrollment agent certificates.

    5) on CA there is no restrictions for enrollment agents. Policy is set up that certificates are in pending state until administrator action.

    6) users can request certificate on behalf of throught MMC console. (choose their own signature certs, select certificate for request, select user etc. )

    7) On CA I see pending request. But in enrollment agents in MMC (user certificates - Certificate Enrollment Requests) there is not any request. So after import I dont have private key of that certificate. If I trz to request cert for me (not on behalf of) there is request.

    Can anybody help me?

    Thanks a lot
    Thanks

    Caspi

  • #2
    Re: Certification Authority

    Originally posted by caspi View Post
    Hello All,

    I have installed Enterprise Root CA in our environment. CA is installed on Windows 2008 R2 Enterprise edition. There are not any other sub CA. I need to assign certificate to users on flash disks. So I have configured:

    1) AD group "ENROLLMENT_AGENTS" there are two persons.
    2) dulicate template enrollment agent (windows 2003 template, set up security for group above) and publish.
    3) duplicate user certificate. (windows 2003 template, set up security for group above) and publish.

    4) Issue to that users their users and enrollment agent certificates.

    5) on CA there is no restrictions for enrollment agents. Policy is set up that certificates are in pending state until administrator action.

    6) users can request certificate on behalf of throught MMC console. (choose their own signature certs, select certificate for request, select user etc. )

    7) On CA I see pending request. But in enrollment agents in MMC (user certificates - Certificate Enrollment Requests) there is not any request. So after import I dont have private key of that certificate. If I trz to request cert for me (not on behalf of) there is request.

    Can anybody help me?

    Thanks a lot
    I would select under the certificate properties Auto Enrol for users or the group depend what you really want and it would solve your problem.

    Comment


    • #3
      Re: Certification Authority

      So anyone can get a cert without checking, thus being able to put unauthorised flash drives on the network?
      Suitable in some cases, but given the details of the original post, I'm sure the idea has been considered and rejected
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Certification Authority

        In our network we have csme VPN users. I would like to configure CA that our HR can assign user certs. In near future we will use some tokens, but now it is only testing. But on the begining i cannot issue cert with private key to anybody. I dont have it in "Certificate Enrollment Requests" folder.
        Thanks

        Caspi

        Comment


        • #5
          Re: Certification Authority

          Another thing, If I change policy from:

          Set the certificate request status to pending. The administrator must explicitly issue the certificate.

          to:

          Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.

          So I can request on behal of and all certs, are stored in my personal store with the private key.

          But I think it is not good policy settings, I would like to know that there is another cert to issue.
          Thanks

          Caspi

          Comment

          Working...
          X