Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
How to request certificate from a non-domain computer

Answered How to request certificate from a non-domain computer

  • Tuesday, September 27, 2011 3:34 PM
     
     
    Sign In to Vote
    0

    We using a Windows Server 2008 R2 Enterprise CA to issuing webserver-certificates (SSL). The CA-Server is a member of a AD-Domain and online. Now we want to request certificates from computers like Windows Server 2008 R2 or Linux Server which aren't member of the domain.

    How we can request certificates automatically with a script remote from these Windows Servers, for example ? Is it possible to use  the "Certificate Enrollment Web Service" without the "Certificate Enrollment Policy Web Service" ?

    Is it possible to use certreq in this scenario ?

    Thanks for your help.


    • Edited by Ewoki Tuesday, September 27, 2011 3:49 PM
    •  
     

All Replies

  • Tuesday, September 27, 2011 4:18 PM
     
     
    Sign In to Vote
    0

    you can use certreq.exe tool. I think you can use this guide with some edits:

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/098f858a-3e89-48d2-828e-274487033f6b

    in the INF file change line as follows:

    Exportable = True

    this allows you to export certificate to a pkcs12 file and import it to target boxes.

    BTW, you cannot use Enrollment Web Service without Policy Service, because a response from CEP is used by CES to obtain all required information and perform enrollment.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
     
  • Tuesday, September 27, 2011 4:21 PM
     
     
    Sign In to Vote
    0

    Thanks for your reply. The link is the URL of this thread :-(... The problem is, that we don't have a inf-File. The request file will be generated by the "hardware" (HP-ILO-Webserver), which is running on a internal chipset on the motherboard.

    Therefore we need a solution to submit a precreated requestfile.

     
  • Tuesday, September 27, 2011 5:56 PM
     
     
    Sign In to Vote
    0

    if you have request files you can automate certificate submission by scripting certreq.exe tool. Here is a simple example:

    certreq -submit -attrib "certificatetemplate:TemplateCommonName" input.csr output.cer

     

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
     
  • Tuesday, September 27, 2011 7:58 PM
     
     
    Sign In to Vote
    0

    If I try this commandline I get a RPC-error. The firewall on the CA-Server is deactivated. The CA-Server and the requesting server are not in the same forest/Domain. To add username and Passwort doesn't solve the problem.

    What could be the problem?


    • Edited by Ewoki Tuesday, September 27, 2011 8:01 PM
    •  
     
  • Wednesday, September 28, 2011 5:39 AM
     
     
    Sign In to Vote
    0
    you need to move all requests to a domain computer, because you need to be properly authenticated.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
     
  • Wednesday, September 28, 2011 9:22 AM
     
     Answered
    Sign In to Vote
    1

    Now I have found a solution. Shortly I want describe the way:

    Prerequirements:
    1. ADCS Enterprise Certification Authority is installed
    2. ADCS Certificate Enrollment Web Service is installed on a server
    3. ADCS Certificate Enrollment Policy Web Service is installed on an other server

    Steps to do:
    1. Prepare a request-file for a certificate

    2. On a computer which is not a member of the Domain/Forest of the CA-Service: submit the request to the CA and receive the issued certificate. The following command have to written in one line without line breaks.

      certreq -submit
        -Username {domain}\{username}
        -p {password}
        -PolicyServer "https://{FQDN CertificateEnrollmentPolicyWebService-Server/-Alias}/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
        -config "https://{FQDN CertificateEnrollentWebService-Server/-Alias}/{CAName}_CES_UsernamePassword/service.svc/CES"
        -attrib "CertificateTemplate:{TemplateName}"
        {Enter Path and Name of the Request-File}
        {Choose Path and Filename for certificate}

       Sample:
       certreq -submit
            -Username contoso\Serviceaccount
            -p P@ssw0rd
            -PolicyServer "https://CAPolicyEnroll.contoso.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
            -config "https://CAWebEnroll.contoso.com/IssuingCA1_CES_UsernamePassword/service.svc/CES"
            -attrib "CertificateTemplate:MyOwnSSLTemplate"
            request.req
            sslcert.cer

    3. Now you can find a file with your requested certificate locally in path you have choosen for the certificate-file.

    I hope this will be helpful for other people enrolling certificates on non-domain member computers.

    • Marked As Answer by Ewoki Wednesday, September 28, 2011 9:22 AM
    •  
     
  • Thursday, September 29, 2011 3:57 PM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

     

    Thanks for your feedback. This solution will benefit others who come to this forum.

     

    Have a nice day!

     
  • Monday, February 18, 2013 7:16 PM
     
     
    Sign In to Vote
    0

    Hi all,

    Is there any sample of code that can be used with CA Policy and Web Services instead of using "certreq" utility?

    Thanks,

    Ratko


    • Edited by Stibra Monday, February 18, 2013 7:16 PM
    •