certificate

[jedec]

Hi

I have computer X1 (w2K adv server, DC, CA enterprise).

Logged as user tom, reques certifikate on http://x1/certsrv - OK, I receive
and instal certifikate in IE.
In AD users and computers, for account Tom I can't see certifikate under
x509 tab - certificate is listed under IUSR_computername account.

With mmc snap-in (certificates-user) I can create user certificate for Tom
(with private key not exportable). This certificate is listed under AD users
and computers under x509 tab.

Questions:
1.How is web certificate request diffrent from mmc issued certificate (two
methods produce different certificates ?).

2.How can I create 2 certifikates for 2 different external users (they can
have accounts in AD). I want to use client authentication and set different
permissions for different users.
Certifikate2name mapping under IIS is not working as expected .

3.How can I export private key from user Tom certificate (is it necessary ?)

(I have access to technet but cant find answers to my questions)


Jedec

 

[splatter]

Questions:

1.How is web certificate request different from mmc issued certificate (two
methods produce different certificates ?).

Nothing as long as you picked the same options on both, but I think your
confused mmc inported the certificate and creates a space for the keys.
There is an option there to allow the export of the private key. In this
case you didn't... you picked (private key not exportable) which answers the
other question you had if you want to be able to export the key then you
have to pick that option when you create the cert.space.

can
have accounts in AD).

The users have to have login credentials & pass them to the certsrv html
page

once logged in they can request a web cert and if you have the certsrv set
up that way immediatly get and install the cert.
to set that up

goto the certserv mod and click on the advanced options settings and there
is a check box for require
your ok, or give it up immediatly. You may want to switch it back after you
give out your inital certs.


On your end you will need to open the cert in certmngr and copy the cert to
a file. You won't need the key.
Goto the cert 2 map screen and map the certificate the login credentials and
thats it.
Just make sure the browser is set to pass creds and not send anonymously.


I want to use client authentication and set different

permissions for different users.
Certifikate2name mapping under IIS is not working as expected .

What exactly isn't working as expected? Or did that help?

3.How can I export private key from user Tom certificate (is it necessary

?)
Open the certificate
click the details
copy to file
click the export private key

Not really unless your trying to give it to the user manually, or do a off
sight back up. Otherwise you can always go to if from the certsrv manager
and get it if need be.


DP

 

[splatter]

Hi

I have computer X1 (w2K adv server, DC, CA enterprise).

Logged as user tom, reques certifikate on http://x1/certsrv - OK, I receive
and instal certifikate in IE.
In AD users and computers, for account Tom I can't see certifikate under
x509 tab - certificate is listed under IUSR_computername account.

With mmc snap-in (certificates-user) I can create user certificate for Tom
(with private key not exportable). This certificate is listed under AD users
and computers under x509 tab.

Questions:
1.How is web certificate request diffrent from mmc issued certificate (two
methods produce different certificates ?).

2.How can I create 2 certifikates for 2 different external users (they can
have accounts in AD). I want to use client authentication and set different
permissions for different users.
Certifikate2name mapping under IIS is not working as expected .

3.How can I export private key from user Tom certificate (is it necessary ?)

(I have access to technet but cant find answers to my questions)


Jedec