Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Non windows / Non domain computer certificate request to a Enterprise CA

Answered Non windows / Non domain computer certificate request to a Enterprise CA

  • Thursday, November 22, 2012 7:42 AM
     
     
    Sign In to Vote
    0

    Dear All ,

    I have posed this question many a times , awaiting a complete answer.

    We have a linux environment that is completely isolated from the AD domain (Where we have Enterprise CA) , the requirement is - to enable mutual certificate based authentication between linux clients and servers (Web based) .How can this be served by an enterprise CA ? pl help

    thanks

    Shaun

     

All Replies

  • Thursday, November 22, 2012 9:31 AM
     
     Answered
    Sign In to Vote
    0

    You can use:

    • Manual request generated on the Linux host and manually submitted to your Enterprise CA
    • Using the Web Enrollment Pages "https://ent-ca-server/certsrv" with a compatible web browser to create a user certificate and associated keychain  
    • NDES/SCEP to submit an online request to your Enterprise CA http://technet.microsoft.com/en-us/library/ff955645(v=ws.10).aspx

    /Hasain

    • Marked As Answer by shaunsaravana Thursday, November 22, 2012 1:44 PM
    •  
     
  • Thursday, November 22, 2012 9:59 AM
     
     
    Sign In to Vote
    0

    Many Thanks Hasain , i have few queries

    You can use:

    • Manual request generated on the Linux host and manually submitted to your Enterprise CA - You mean create CSR and submit it on web enrollment page , request for computer certificate (choosing template for workstation authentication)
    • Using the Web Enrollment Pages "https://ent-ca-server/certsrv" with a compatible web browser to create a user certificate and associated keychain -but the certificates are meant for client machines and not users
    • NDES/SCEP to submit an online request to your Enterprise CA http://technet.microsoft.com/en-us/library/ff955645(v=ws.10).aspx - will have to check , how compatible Linux hosts are , this is usually for network devices i believe

    regards

    Shaun

     
  • Thursday, November 22, 2012 10:11 AM
     
     
    Sign In to Vote
    0

    Yes, it is possible to use the web enrollment pages to do that. You can as well use the certreq.exe tool from a windows host to submit the request.

    There are SCEP clients available for many Linux distributions and it works just fine for other than network devices.

    /Hasain

     
  • Thursday, November 22, 2012 11:52 AM
     
     
    Sign In to Vote
    0

    Thanks again Hasain  , was really an eye opener for me .

    So I understand from the above suggestions that - any non domain , non windows machine can request for a computer certificate (which is used to prove the identity of the computer & can be used for authenticating that client machine against a server) using the following

    1.Submitting a request on web enrollment console asking for a certificate in workstation authentication template)

    2.manually submit .req file to CA (but how to convert .csr , .pem etc request file to .req)?

    3.& using NDES service

     
  • Thursday, November 22, 2012 12:41 PM
     
     
    Sign In to Vote
    0

    The file extension is not important here. The request must be formatted using PKCS#10 and can be in either DER/binary or PEM/Base64 encoded format. You can use openssl to convert between different formats!

    /Hasain

     
  • Thursday, November 22, 2012 1:48 PM
     
     
    Sign In to Vote
    0
    Thanks a ton Hasain :)