none
KRA certificate issuance problems.

    Question

  • Hi all, I'm working my way through Brian Komar's book and have hit a snag with issuing KRA certificates in Chapter 18.


    I've enabled the Key Recovery Agent certificate for issuance, added a global group of users to the template to allow members to enroll (autoenrollment is not enabled), requested the certificate as a member from a Windows 7 client using the Request New Certificate Wizard (without providing any additional info), seen the status go to pending on the client, issued it at the CA, switched to the client and then attempted to obtain the issued certificate using the Automatically Enroll and Retrieve Certificates Wizard but it simply states Certificate autoenrollment has not been enabled and the certificate remains in Certificate Enrollment Requests on the user's store. No amount of certutil -user -pulse or gpupdate /force has made any difference and the certificate remains unissued to the private key owner.


    What am I missing?


    The whole environment is in a lab as a proof of concept - this bit seemed the simplest bit to do but it's just not having it. I believe that once a KRA certificate is issued, it's pushed to the KRA container but does this need a specific setting? Should the template be set to publish to AD? By default it isn't.

    I appreciate any help you can give! Thanks.

    Monday, February 27, 2012 2:36 PM

Answers

  • Yes, you actually only need to enable Autoenrollment on the client to automate the installation of the issued/pending certificate. This part of the Autoenrollment functionality does not require autoenrollment to be enabled on the template it self.

    /Hasain

    • Marked as answer by Bruce-Liu Friday, March 02, 2012 5:12 PM
    Tuesday, February 28, 2012 4:42 PM

All replies

  • The "default" Key Recovery Agent certificate template requires "CA Certificate Manager Approval", the setting is found on the Issuance Requirements tab when editing the certificate template properties!

    If you want to keep the approval requirement you either need to complete the request manually (issue the certificate, export it from the CA and import it on the client) or you can enable Autoenrollment and it will complete the request as soon as (either wait for a GPO refresh or run the gpupdate or certutil -pulse commands) the certificate has been issued by as CA certificate manager.

    /Hasain

    Monday, February 27, 2012 5:37 PM
  • Thanks for the reply Hasain.

    I know I can do everything manually if required - in fact it is this specific manual method of obtaining certificates that I'm trying to avoid without resorting to autoenrollment. Ultimately I want users to be able to request specific certificates that might require manual approval and then obtain them without me having to export them from the CA.

    On page 459 of Windows 2008 PKI and Certificate Security it says:

    • The following processes assume that the certificate template has the default settings, though the permissions are set to allow a custom global or universal group Read and Enroll permissions.

    On page 460 of Brian's book it states that in Windows Vista you can use the Certificate Enrollment Wizard to request a KRA certificate and that it supports pended [sic] requests:

    On page 461 it then states that if you used the Certificate Request Wizard, autoenrollment will detect and install the certificate for you.

    I know that the default KRA certificate is not enabled for autoenrollment so it's not likely to detect the issued certificate but on page 459 it doesn't say to set the autoenrollment permission. It just says Read and Enroll.

    My question is, is this process even possible in the manner suggested by the book? If it isn't then great, I can relax about the issue but if it is, something in my configuration is preventing the certificate from being automatically installed on my client workstation when I use the Automatically Enroll and Retrieve Certificates wizard.

    Any kind of confirmation one way or the other would be great.

    Thanks

    Lewis

    Tuesday, February 28, 2012 12:23 PM
  • Yes, you actually only need to enable Autoenrollment on the client to automate the installation of the issued/pending certificate. This part of the Autoenrollment functionality does not require autoenrollment to be enabled on the template it self.

    /Hasain

    • Marked as answer by Bruce-Liu Friday, March 02, 2012 5:12 PM
    Tuesday, February 28, 2012 4:42 PM
  • Thanks again Hasain, that's cleared the issue up for me. More reading required!

    Thanks

    Lewis

    Wednesday, February 29, 2012 9:58 AM