|
Posted by StuartH on December 14, 2006, 6:20 am
Please log in for more thread options Did either of these work Jonathan?
The reason I ask is, funny enough, we have the same issue. I have read as
many articles/KB that I can and would like some clarification if anyone can,
PLEASE!!.
We have a standalone RootCA, with Enterprise issuing CAs. We have ran
DSpublish for the RootCA into the AD, but clients do not get entries added to
their trusted store. From what I understand, and read many times is things
like "When you install an enterprise root CA or a stand-alone root CA, the
certificate of the CA is added automatically to the Trusted Root
Certification Authorities Group Policy for the domain.". Well, if this is a
standalone Root, how the heck does it put it into a GPO ? Another article
states, that if the client is a domain member, then they will automatically
receive the CAs in the trusted store....but negates to say how.
So...in a complete Microsoft world (RootCA, SubEntCAs and clients)...how
does the trusted store get populated on a client ? Do you need a GPO or not ?
Thanks
Stuart
"S. Pidgorny <MVP>" wrote:
> I'd try both 1 and 2 - one will work for sure.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> > Hi all,
> >
> > Our PKI is based on 2003 and using an offline root and issuing CAs.
> > All worked fine but about a month a go it developed a slight issue.
> >
> > Whilst i can see the offline root cert is in AD under the correct node
> > (looking through adsiedit) and it is still valid (10yr validity)
> > when i add a new computer to the domain it does not get the root cert
> > added to the client pcs trusted store.
> >
> > my two thoughts are to
> > 1. republish the same certificate using certutil -dspublish
> > 2. to use the thority gpo setting on the domain policy
> >
> > Any comments ?
> > or better suggestions
> > Jonathan
> >
>
>
>
| 
XML Sitemap