Autoenrollment of Certificate

T

TonyB

I have been sent a certificate from a CA at a sister site that I want to be
able to distribute to all clients in our local domain. I want the cert I
have been sent to be auto-enrolled by our clients and placed in their
'Trusted Root Certificate Authoritites' container. CA (and subordinate CA)
are Win2k3 native. Clients are XP and 2000.

If I manually import the certificate, it works fine. I don't though seem to
have any auto-enrollment control over imported certificates on our CA.
Auto-enrollment options seem to be controlled through certificate templates
that I configure and publish into A/D myself.

Is there any way to acheive this, or do I have to resort to manual imports
using certutil.exe in the login script?

Thanks
 
S

Steve Riley [MSFT]

You're confusing some terms. "Autoenrollment" is a mechanism that allows machines and users to automatically enroll for their own certificates when they log onto the domain. You're describing something different: you want all your machines and users to have the sister site's CA certificate in their public stores so that they trust certificates from that CA. You don't use autoenrollment for that; instead, all you need to do is add that CA to your domain policy. As machine and user policies update themselves, they'll get the certificate in their stores.

http://technet2.microsoft.com/Windo...311a-479b-aecc-c856165b97c11033.mspx?mfr=true describes the procedure.

______________________________________________________
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


I have been sent a certificate from a CA at a sister site that I want to be
able to distribute to all clients in our local domain. I want the cert I
have been sent to be auto-enrolled by our clients and placed in their
'Trusted Root Certificate Authoritites' container. CA (and subordinate CA)
are Win2k3 native. Clients are XP and 2000.

If I manually import the certificate, it works fine. I don't though seem to
have any auto-enrollment control over imported certificates on our CA.
Auto-enrollment options seem to be controlled through certificate templates
that I configure and publish into A/D myself.

Is there any way to acheive this, or do I have to resort to manual imports
using certutil.exe in the login script?

Thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Offline Root CA - AutoEnrollment 4
VPN Logons - Certificates 1
Requesting Certificate from Subordinate CA 1
CA Problems 6
EFS Auto enroll 0
Error 0x80094001 while enrolling User Certificate 3
Web Enrollment Certificate Request Denied 2
Certificate Request Denied over Web Enrollment 0

Top