Click here to get back home

Delivering certificate not in the same domain name ?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Delivering certificate not in the same domain name ? Pascal 04-02-2008
Posted by Pascal on April 2, 2008, 6:57 am
Please log in for more thread options
 Hello,

another question ;-)

If I am installing an enterprise Windows certificate authority, the
delivered certificates have to be delievered only for the same domain
name as my active directory domain name ?

For example, if my domain is "mycompany.local", does it mean that only
certificates for *.mycompany.local can be delivered or I can deliver a
certificate for "www.mywebsite.com" ?

If I can deliver a certificate for www.mywebsite.com and I install the
root certificate of my enterprise CA in the client computer, this
computer will not have any warning message, so ?

Thank you

--
Pascal



Posted by neo [mvp outlook] on April 3, 2008, 7:32 pm
Please log in for more thread options
 Yes, you can issue certificates for other domain names other than
"mycompany.local".

Correct, if issuing self-signed certificates then a copy of the CA
certificate has to be installed on non-domain member workstations and
servers. (Member workstation/servers automatically get a copy installed at
the time of joining the active directory domain.) Once this is done, no
more prompts because a certificate can be verified back to the CA
certificate.

> Hello,
>
> another question ;-)
>
> If I am installing an enterprise Windows certificate authority, the
> delivered certificates have to be delievered only for the same domain name
> as my active directory domain name ?
>
> For example, if my domain is "mycompany.local", does it mean that only
> certificates for *.mycompany.local can be delivered or I can deliver a
> certificate for "www.mywebsite.com" ?
>
> If I can deliver a certificate for www.mywebsite.com and I install the
> root certificate of my enterprise CA in the client computer, this computer
> will not have any warning message, so ?
>
> Thank you
>
> --
> Pascal
>
>



Posted by Pascal on April 7, 2008, 8:58 am
Please log in for more thread options
Thank you neo but how do you request a certificate for another domain
names than "mycompany.local" ? Through the configuration of Subject
Alternative Name ?

Thanks

> Yes, you can issue certificates for other domain names other than
> "mycompany.local".
>
> Correct, if issuing self-signed certificates then a copy of the CA
> certificate has to be installed on non-domain member workstations and
> servers. (Member workstation/servers automatically get a copy installed at
> the time of joining the active directory domain.) Once this is done, no more
> prompts because a certificate can be verified back to the CA certificate.
>
>> Hello,
>>
>> another question ;-)
>>
>> If I am installing an enterprise Windows certificate authority, the
>> delivered certificates have to be delievered only for the same domain name
>> as my active directory domain name ?
>>
>> For example, if my domain is "mycompany.local", does it mean that only
>> certificates for *.mycompany.local can be delivered or I can deliver a
>> certificate for "www.mywebsite.com" ?
>>
>> If I can deliver a certificate for www.mywebsite.com and I install the root
>> certificate of my enterprise CA in the client computer, this computer will
>> not have any warning message, so ?
>>
>> Thank you
>>
>> -- Pascal
>>
>>

--
Pascal



Posted by neo [mvp outlook] on April 9, 2008, 7:53 am
Please log in for more thread options
Since I run Windows 2003 Enterprise Edition, what I did was create a copy of
the existing Web Server certificate template and configured it so that the
information would be supplied in the request. Once I allowed the new
template to be used, I used the web interface (http://server/certsrv) to
request the certificate.

If you wish to support Subject Alternate Names (SAN) under Windows 2003
Certificate Services, you need to turn the option on. Note, this isn't a
setting on the certificate template. You actually have to use certutil to
turn the feature on and the stop/start certificate services. The commands
are...

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Once you do this, you can request certificates that include the SAN
attribute.


> Thank you neo but how do you request a certificate for another domain
> names than "mycompany.local" ? Through the configuration of Subject
> Alternative Name ?
>
> Thanks
>
>> Yes, you can issue certificates for other domain names other than
>> "mycompany.local".
>>
>> Correct, if issuing self-signed certificates then a copy of the CA
>> certificate has to be installed on non-domain member workstations and
>> servers. (Member workstation/servers automatically get a copy installed
>> at the time of joining the active directory domain.) Once this is done,
>> no more prompts because a certificate can be verified back to the CA
>> certificate.
>>
>>> Hello,
>>>
>>> another question ;-)
>>>
>>> If I am installing an enterprise Windows certificate authority, the
>>> delivered certificates have to be delievered only for the same domain
>>> name as my active directory domain name ?
>>>
>>> For example, if my domain is "mycompany.local", does it mean that only
>>> certificates for *.mycompany.local can be delivered or I can deliver a
>>> certificate for "www.mywebsite.com" ?
>>>
>>> If I can deliver a certificate for www.mywebsite.com and I install the
>>> root certificate of my enterprise CA in the client computer, this
>>> computer will not have any warning message, so ?
>>>
>>> Thank you
>>>
>>> -- Pascal
>>>
>>>
>
> --
> Pascal
>
>



Similar ThreadsPosted
Windows 2003 - Child domain cannot request certificate from root domain January 11, 2008, 11:41 am
Certificate FQDN example.local domain using example.com certificate October 31, 2006, 7:40 am
Online request of a certificate with CA in another domain January 26, 2007, 11:39 am
2003 Domain Controller not requesting certificate May 31, 2006, 2:53 pm
PKI Certificate Server Install in AD Empty Root Domain July 21, 2005, 10:42 am
PKI User certificate auto-enrollment for XP clients not logging onto domain computer May 18, 2007, 11:02 am
Automatic certificate enrollment for local system failed after upgrading member server to domain controller August 25, 2005, 6:11 pm
"No Certificate Templates Could Be Found" Error Message When User Requests Certificate from CA Web Enrollment Pages September 21, 2006, 1:31 pm
Create Certificate Request for Windows2003 certificate authority without using website March 22, 2006, 8:07 am
Problem when requesting a certificate to IIS server (certificate web enrollment) October 4, 2005, 9:50 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap