locked
Use certreq to enroll a Local Computer certficate? RRS feed

  • Question

  • First why don't we have a forum dedicated to Active Directory Certificate Services? I'm sure lots of people would be interested. For something so fundamental to security it's like the least understood, worst documented server role.

    My question: is it possible to use certreq to customize the subject/SAN for a certificate template whose permission is assigned to computers rather than users?

    I can use certlm.msc to do this quite easily against a template set to "allow subject info to be included in the request" published to an enterprise CA, yet there doesn't seem to be a way to do the same with certreq so it can be scripted. I've read that certreq always runs under the logged user's context, unlike certlm.msc, which runs as I guess the computer account.

    My use case is we want to script something to do a first-time enrollment for a Local Computer certificate with customized SAN, for things like clusters that need a virtual DNS name included or just random CNAMEs.

    If there's no direct solution I guess I could export the certificate enrolled via certreq from the User store and then import into Local Computer. It just seems such a roundabout way to do what's easily done via certlm.msc's GUI...

    Thursday, January 25, 2018 9:15 PM

Answers

  • Hi,
    As far as I know, while using Certreq command to enroll certificate for computer, -machine option must be specified, this option is used to configure a new certificate request or specifies the context for a certificate acceptance for the machine context. If this option is not specified and the template does not set a context, then the default is the user context.
    Please see details of Certreq command from:
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn296456(v=ws.11)
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Monday, January 29, 2018 6:51 AM
    • Marked as answer by Roland Fang Monday, April 2, 2018 2:27 AM
    Friday, January 26, 2018 8:44 AM

All replies

  • Hi,
    As far as I know, while using Certreq command to enroll certificate for computer, -machine option must be specified, this option is used to configure a new certificate request or specifies the context for a certificate acceptance for the machine context. If this option is not specified and the template does not set a context, then the default is the user context.
    Please see details of Certreq command from:
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn296456(v=ws.11)
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Monday, January 29, 2018 6:51 AM
    • Marked as answer by Roland Fang Monday, April 2, 2018 2:27 AM
    Friday, January 26, 2018 8:44 AM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 29, 2018 6:51 AM