Offline Root CA - AutoEnrollment

[Dan]

Apologies if this turns up later through another posting through a
website...,

I have experience of working with Certificates, so configuration is not the
problem

My question relates to my scenario. I have installed a standalone root CA,
for the purposes of removing later for security. I have installed an
enterprise subordinate CA from this root CA, by publishing and requesting a
certifcate for the subordinate, from the root CA, in the correct manner.

I cannot however autoenroll users/computers from my subordinate CA. They can
request and install certificates manually, but not automatically (actually I
haven't been able to manually enroll computers for certificates; there does
not seem to be an option for this at http://'subordianteCA'\Certsrv' web
site certificate request page

Is this the correct behaviour? Can an enterprise subordinate CA autoenroll
clients, and if so, is mine not working due to my root CA being Standalone
(no AD)?

Or do I have another problem? An explanation from anyone please

 

[Brian Komar [MVP]]

Is this the correct behaviour? Can an enterprise subordinate CA autoenroll
clients, and if so, is mine not working due to my root CA being Standalone
(no AD)?

The big question is what OS do you have on the
enterprise subordinate CA. You must be running Windows
Server 2003, Enterprise Edition or higher to issue
certificates using autoenrollment.

Also, computer certificates cannot be issued by hte Web
site unless the certificate template is configured to
allow the subject to be provided in the request. The
connection to the /certsrv Web site is in the security
context of the user, not the computer.

Brian

 

[Dan]

Brian,

Both the offline root CA, and the enterprise subordinate CA are 2003sp1
machines. From your response I am assuming that autoenrollment should work
in my situation, that is a 2003 enterprise subordinate.

I have configured auotenrollment many times with a Enterprise root CA, and
the certificates I want to issue have the correct permissions set on them
for users and computers. I have only hit this problem since setting up an
enterprise subordinate with an standalone offline root, leading me to wonder
if autoenrollment was actually possible with this setup.

As for requesting a computer certificate through the website, do you mean
that it would have to have the enroll permission set on it for users? It
wouldn't have this at the moment and maybe that is the problem there

Thanks

As to using the web site to request computer certificates, the computer
certificates I have

 

[Dan]

Brian,

Both the offline root CA, and the enterprise subordinate CA are 2003sp1
machines. From your response I am assuming that autoenrollment should work
in my situation, that is a 2003 enterprise subordinate.

I have configured auotenrollment many times with a Enterprise root CA, and
the certificates I want to issue have the correct permissions set on them
for users and computers. I have only hit this problem since setting up an
enterprise subordinate with an standalone offline root, leading me to wonder
if autoenrollment was actually possible with this setup.

As for requesting a computer certificate through the website, do you mean
that it would have to have the enroll permission set on it for users? It
wouldn't have this at the moment and maybe that is the problem there

Thanks

As to using the web site to request computer certificates, the computer
certificates I have

 

[Paul Adare]

Brian,

Both the offline root CA, and the enterprise subordinate CA are 2003sp1
machines. From your response I am assuming that autoenrollment should work
in my situation, that is a 2003 enterprise subordinate.

Which SKU of Windows Server 2003? Web, Standard, Enterprise, Data
Center? Autoenrollment is only possible with Enterprise or Data Center.
In this case, Enterprise is referring to the SKU for Windows Server 2003
and not the type of CA (though it does also have to be an Enterprise and
not stand-alone CA).

I have configured auotenrollment many times with a Enterprise root CA, and
the certificates I want to issue have the correct permissions set on them
for users and computers. I have only hit this problem since setting up an
enterprise subordinate with an standalone offline root, leading me to wonder
if autoenrollment was actually possible with this setup.

It is definitely. The root CA has zero impact on autoenrollment.

As for requesting a computer certificate through the website, do you mean
that it would have to have the enroll permission set on it for users? It
wouldn't have this at the moment and maybe that is the problem there

No, exactly what he said. You'd need to duplicate the template and
change the Subject tab to Supply the subject in the request instead of
building it automatically. The way it is setup now if you were to allow
user's enroll permissions on the template, the issued certificate
wouldn't work as the Subject would be built from the user's account
information in AD and not the computer's account information.

Thanks

As to using the web site to request computer certificates, the computer
certificates I have

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain