none
machine certificates via WS08 R2 web enrollment?

    Frage

  • Hi,

    Unfortunately I do not have a PKI server in front of me; can I obtain a machine certificate or a domain controller machine certificate from the web enrollment page (/certsrv) of a Subdordinate Online AD integrated CA running on Windows 2008 R2 Ent or Std edition?

    thank you,

    sk

    Donnerstag, 23. Februar 2012 08:16

Antworten

  • by default, it would be problematic:

    a) the web enrollment cannot enroll into the machine store - so the resulting certificate will be stored in the user's profile that was accessing the web enrollment pages. That means, you would have to export the certificate with its private key into .PFX file and reimport it into the local computer store manually. NOTE HERE! Be carefull! NEVER drag-and-drop the certificate from the user's store into the Local computer store - this operation moves only the certificate while the private key would remain in the user's private store (although the GUI shows the private key on the machine's certificate INCORRECTLY)!

    b) the default Web Server certificate template is not marked as Exportable, so you would have to modify the template by duplicating it and changing the setting to enable exporting of private key on the template.

    c) the only way how to use the web enrollment would be to create the Custom Certificate Request by using the MMC Certificates (Local Computer) console - this creates the initial request into the local computer store. Then from the console, export the request into .REQ file and use the web enrollment pages to just upload the request .REQ file to the CA. And then download the issued .CER file and import it by using the MMC console again into the Personal store of local computer.

    ondrej.

    • Als Antwort markiert D Wind Donnerstag, 23. Februar 2012 09:44
    Donnerstag, 23. Februar 2012 08:50

Alle Antworten

  • by default, it would be problematic:

    a) the web enrollment cannot enroll into the machine store - so the resulting certificate will be stored in the user's profile that was accessing the web enrollment pages. That means, you would have to export the certificate with its private key into .PFX file and reimport it into the local computer store manually. NOTE HERE! Be carefull! NEVER drag-and-drop the certificate from the user's store into the Local computer store - this operation moves only the certificate while the private key would remain in the user's private store (although the GUI shows the private key on the machine's certificate INCORRECTLY)!

    b) the default Web Server certificate template is not marked as Exportable, so you would have to modify the template by duplicating it and changing the setting to enable exporting of private key on the template.

    c) the only way how to use the web enrollment would be to create the Custom Certificate Request by using the MMC Certificates (Local Computer) console - this creates the initial request into the local computer store. Then from the console, export the request into .REQ file and use the web enrollment pages to just upload the request .REQ file to the CA. And then download the issued .CER file and import it by using the MMC console again into the Personal store of local computer.

    ondrej.

    • Als Antwort markiert D Wind Donnerstag, 23. Februar 2012 09:44
    Donnerstag, 23. Februar 2012 08:50
  • thank you, that's very helpful
    Donnerstag, 23. Februar 2012 09:44