Assigning Certificates

  • Thread starter Thread starter Johnny
  • Start date Start date
J

Johnny

Looking for a way to assign Computer Certificates to machines that are never
on the network. Is there a way for an administrator to create a certificate
that can be imported to a Machine's Certificate store. I could then create
a certificte, copy it to a floppy and send it home with the user.

Thanks.
 
It depends on CA policy used. What is the purpose of this certificate?

In general you can use MMC with Certificate Snap-In to import certificate
under Computer Account....
 
My problem is not importing, it is having something to import. I want to
allow users to connect via VPN with Certificates to my network. I want to
be able to generate a certificate and hand it to them on a floppy. Then
they can take it home and install it on their computer and get into the
network.
 
You can use the Win2k3 Certreq -new command to generate a request that takes
an inf file containing the request parameters. Set MachineKeySet=True and
Exportable=TRUE and specify Subject in the format required by IPSec

CN=machine name,DC= ..,DC=..,DC=..

Then submit the request using certreq -submit and accept it using
certreq -accept
You can then export the certificate to a file


Alternatively you can create a script that uses Xenroll to create the
request






[NewRequest]
Subject = "CN=..,OU=...,DC=..."
PrivateKeyArchive = TRUE
KeySpec = 1
KeyLength = 1024
RenewalCert = CertId
SMIME = TRUE
Exportable = TRUE
UserProtected = TRUE
KeyContainer = "..."
MachineKeySet = TRUE
Silent = TRUE
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
ProviderType = 1
UseExistingKeySet = TRUE
RequesterName = DOMAIN\User
RequestType = PKCS10 | PKCS10- | PKCS7 | CMC
KeyUsage = 0x80
EncipherOnly = TRUE
 
With Windows 2003 it is fairly easy to do, you need to make sure that the
template allows the user to specify the Subject name of the certificate. In
Windows 2000, it is not as intuitive as well as I believe it is not
supported for the machine template. You may want to try enabling the IPSec
offline template.

--Shawn

This posting is provided "AS IS" with no warranties and confers no rights.
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Wifi Network Issue 0
0x000006ba NO LIABILITY Certificate issue 0
Question regarding issuing certificates to users 3
EFS Auto enroll 0
Access Certificates in access 1
Certificates and templates 2
Outlook/Vista & Exchange SMTP Cert 2
CA generating private keys 1

Back
Top