|
Posted by Jeanne on May 14, 2007, 2:43 am
Please log in for more thread options
Hi all,
Just a quick question: Our Enterprise Root CA in our AD forest is running on
a DC on a Win2003 Standard Edition box. I read that a standard edition W2k3
can only issue "Version 1" of security templates?
Not sure if its any issue but if we want to obtain Windows Computer
Certificates for client/server authentication (OID: 1.3.6.1.5.5.7.3.1 and
....3.2) purposes from this CA, is it possible? The web interface of an
Enterprise CA don't give us the option to pick a "computer" certificate
template. Must we absolutely need to setup an Win2k3 Enterprise edition
based CA for this?
A little confused. Need some quick pointer/light...
Many thanks all.
Cheers.
|
|
Posted by Brian Komar on May 14, 2007, 5:52 am
Please log in for more thread options
On Mon, 14 May 2007 14:43:25 +0800, Jeanne wrote:
show/hide quoted text
> Hi all,
> Just a quick question: Our Enterprise Root CA in our AD forest is running on
> a DC on a Win2003 Standard Edition box. I read that a standard edition W2k3
> can only issue "Version 1" of security templates?
>
> Not sure if its any issue but if we want to obtain Windows Computer
> Certificates for client/server authentication (OID: 1.3.6.1.5.5.7.3.1 and
> ....3.2) purposes from this CA, is it possible? The web interface of an
> Enterprise CA don't give us the option to pick a "computer" certificate
> template. Must we absolutely need to setup an Win2k3 Enterprise edition
> based CA for this?
>
> A little confused. Need some quick pointer/light...
>
> Many thanks all.
> Cheers.
It can issue the Computer certificate template. You just need to use the
correct resources. Do not use the Web page, as the request is in the
security context of the user.
Instead, open a new MMC, add the Certificates console and focus on the
Local Machine (you must be a member of the local Administrators).
You can then request the Computer certificate
Brian
|
|
Posted by Jeanne on May 14, 2007, 7:22 am
Please log in for more thread options Ah, thanks for the tips Brian. Its great for those in the domain.
But I suspect the MMC approach won't be applicable for our few other
machines that are non-domain joined. I'm currently trying to understand how
to use certreq utility to make this work. Hmn..
Cheers.
show/hide quoted text
> On Mon, 14 May 2007 14:43:25 +0800, Jeanne wrote:
>> Hi all,
>> Just a quick question: Our Enterprise Root CA in our AD forest is running
>> on
>> a DC on a Win2003 Standard Edition box. I read that a standard edition
>> W2k3
>> can only issue "Version 1" of security templates?
>> Not sure if its any issue but if we want to obtain Windows Computer
>> Certificates for client/server authentication (OID: 1.3.6.1.5.5.7.3.1 and
>> ....3.2) purposes from this CA, is it possible? The web interface of an
>> Enterprise CA don't give us the option to pick a "computer" certificate
>> template. Must we absolutely need to setup an Win2k3 Enterprise edition
>> based CA for this?
>> A little confused. Need some quick pointer/light...
>> Many thanks all.
>> Cheers.
> It can issue the Computer certificate template. You just need to use the
> correct resources. Do not use the Web page, as the request is in the
> security context of the user.
> Instead, open a new MMC, add the Certificates console and focus on the
> Local Machine (you must be a member of the local Administrators).
> You can then request the Computer certificate
> Brian
|
|
Posted by Brian Komar on May 14, 2007, 2:43 pm
Please log in for more thread options On Mon, 14 May 2007 19:22:27 +0800, Jeanne wrote:
show/hide quoted text
> Ah, thanks for the tips Brian. Its great for those in the domain.
>
> But I suspect the MMC approach won't be applicable for our few other
> machines that are non-domain joined. I'm currently trying to understand how
> to use certreq utility to make this work. Hmn..
>
> Cheers.
>
>> On Mon, 14 May 2007 14:43:25 +0800, Jeanne wrote:
>>> Hi all,
>>> Just a quick question: Our Enterprise Root CA in our AD forest is running
>>> on
>>> a DC on a Win2003 Standard Edition box. I read that a standard edition
>>> W2k3
>>> can only issue "Version 1" of security templates?
>>> Not sure if its any issue but if we want to obtain Windows Computer
>>> Certificates for client/server authentication (OID: 1.3.6.1.5.5.7.3.1 and
>>> ....3.2) purposes from this CA, is it possible? The web interface of an
>>> Enterprise CA don't give us the option to pick a "computer" certificate
>>> template. Must we absolutely need to setup an Win2k3 Enterprise edition
>>> based CA for this?
>>> A little confused. Need some quick pointer/light...
>>> Many thanks all.
>>> Cheers.
>> It can issue the Computer certificate template. You just need to use the
>> correct resources. Do not use the Web page, as the request is in the
>> security context of the user.
>> Instead, open a new MMC, add the Certificates console and focus on the
>> Local Machine (you must be a member of the local Administrators).
>> You can then request the Computer certificate
>> Brian
I would look at the Advanced Request whitepaper. It focuses on Domain
Controller certs, but can easily be extrapolated for computer certificates.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
Brian
|
| Similar Threads | Posted | | Windows 2003 Standard Edition & Microsoft.XMLHTTP Question | September 30, 2006, 10:25 pm |
| AD CS 2008 - issuing IPSEC certs from a stand-alone CA: | January 31, 2008, 3:17 pm |
| Child domain laptops autoenrolling user certs but not computer certs | May 21, 2008, 4:19 pm |
| Problem with Machine Certs being used as User Certs | June 15, 2005, 7:06 am |
| Certificate Services Web interface and Win2k3 x64/AMD64 edition | October 2, 2006, 5:13 pm |
| NEW IPHONE VIDEO PROJECTOR PROTOTYPE NOW AVAILABLE LIMITED EDITION | December 3, 2008, 1:02 am |
| running .bat files | January 9, 2008, 11:00 am |
| services running under a certain account | August 15, 2005, 9:19 am |
| bmss.exe running on boot | February 26, 2006, 2:56 am |
| Root CA issuing CA | October 26, 2006, 2:02 am |
|
XML Sitemap
> Just a quick question: Our Enterprise Root CA in our AD forest is running on
> a DC on a Win2003 Standard Edition box. I read that a standard edition W2k3
> can only issue "Version 1" of security templates?
>
> Not sure if its any issue but if we want to obtain Windows Computer
> Certificates for client/server authentication (OID: 1.3.6.1.5.5.7.3.1 and
> ....3.2) purposes from this CA, is it possible? The web interface of an
> Enterprise CA don't give us the option to pick a "computer" certificate
> template. Must we absolutely need to setup an Win2k3 Enterprise edition
> based CA for this?
>
> A little confused. Need some quick pointer/light...
>
> Many thanks all.
> Cheers.