none
Auto enroll two client authentication certificates from different CA servers RRS feed

  • Question

  • I have a temporary requirement for <g class="gr_ gr_27 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="27" id="27">cisco</g> VPN profile where I want my client machines windows 7 and <g class="gr_ gr_5 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="5" id="5">windows</g> 10 need to enroll two client authentication certificates from two different CA servers. How do I achieve <g class="gr_ gr_6 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation multiReplace" data-gr-id="6" id="6">this.</g>

    Ausaf Ahmed

    Wednesday, April 10, 2019 6:49 PM

All replies

  • The post by Ausaf Ahmed above, after removing the unsupported Grammarly tags:

    I have a temporary requirement for cisco VPN profile where I want my client machines windows 7 and windows 10 need to enroll two client authentication certificates from two different CA servers. How do I achieve this.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, April 10, 2019 10:21 PM
  • Hi!

    It is hard to imagine why 2 CA servers are needed in your configuration, but if this is so, you have to clarify your question. Simple answer based on current information is: enroll :)

    BR,


    UV

    Friday, April 12, 2019 9:49 AM
  • When you configure Autoenrollment, your client will get a certificate for the certificate template that allow Autoenrollment.

    The same CA will not create multiple certificate for the same client (even if you run gpupdate /force or certutil -pulse).

    I think that you will have to publish a certificate template with Autoenrollment rights to your Windows 7 / Windows 10 computers on both of your CA.  The template can be the same or you can create 2 different templates (1 for each of your CA).

    The only thing that you need to validate is how the Cisco VPN will know which certificate to use if they have the same subject name...?


    This posting is provided AS IS without warranty of any kind

    Friday, April 12, 2019 4:23 PM
  • Scenario is this we have two CA servers running one is on 2003 and second one is on 2012 server. We are using Cisco VPN and VPN client requires client authentication user certificate to validate user. In that VPN profile network team has option to define CA server name in order to work properly. Now in order to decommission old 2003 CA server we need to make sure that each client machine should get client authentication certificate from both CA's. By default its auto enrolling certificate from old CA and if i need another certificate i need to request it manually select template and it enrolls certificate from new CA.

    How can i make sure when user login they get both client authentication certificates from both CA.

    Hope i have made scenario clear.

     

    Ausaf Ahmed

    Wednesday, April 17, 2019 5:14 PM
  • First be sure that both CA are Enterprise

    Create 2 different Certificate Templates.  Publish Certificate template 1 on your Windows 2003 CA and publish Certificate Template 2 on your Windows 2012 CA.

    Configure a GPO for User Autoenrollment (https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment)

    When your clients will logon, they will get a certificate from each CA.

    hth


    This posting is provided AS IS without warranty of any kind

    Thursday, April 18, 2019 3:32 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 24, 2019 7:02 AM
    Moderator
  • Thanks my issue is resolved following this tip thank you very much once again.

    Ausaf Ahmed

    Thursday, April 25, 2019 2:42 AM
  • Yes my issue is resolved thank you very much for your help

    Ausaf Ahmed

    Thursday, April 25, 2019 2:44 AM
  • Hi,

    I am glad to hear that your issue was successfully resolved.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 25, 2019 6:19 AM
    Moderator