23. února 2012 8:16
Unfortunately I do not have a PKI server in front of me; can I obtain a machine certificate or a domain controller machine certificate from the web enrollment page (/certsrv) of a Subdordinate Online AD integrated CA running on Windows 2008 R2 Ent or Std edition?
23. února 2012 8:50
by default, it would be problematic:
a) the web enrollment cannot enroll into the machine store - so the resulting certificate will be stored in the user's profile that was accessing the web enrollment pages. That means, you would have to export the certificate with its private key into .PFX file and reimport it into the local computer store manually. NOTE HERE! Be carefull! NEVER drag-and-drop the certificate from the user's store into the Local computer store - this operation moves only the certificate while the private key would remain in the user's private store (although the GUI shows the private key on the machine's certificate INCORRECTLY)!
b) the default Web Server certificate template is not marked as Exportable, so you would have to modify the template by duplicating it and changing the setting to enable exporting of private key on the template.
c) the only way how to use the web enrollment would be to create the Custom Certificate Request by using the MMC Certificates (Local Computer) console - this creates the initial request into the local computer store. Then from the console, export the request into .REQ file and use the web enrollment pages to just upload the request .REQ file to the CA. And then download the issued .CER file and import it by using the MMC console again into the Personal store of local computer.
- Označen jako odpověď S.Kwan 23. února 2012 9:44
23. února 2012 9:44thank you, that's very helpful