|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Autoenrollment of CertificateI have been sent a certificate from a CA at a sister site that I want to be
able to distribute to all clients in our local domain. I want the cert I have been sent to be auto-enrolled by our clients and placed in their 'Trusted Root Certificate Authoritites' container. CA (and subordinate CA) are Win2k3 native. Clients are XP and 2000. If I manually import the certificate, it works fine. I don't though seem to have any auto-enrollment control over imported certificates on our CA. Auto-enrollment options seem to be controlled through certificate templates that I configure and publish into A/D myself. Is there any way to acheive this, or do I have to resort to manual imports using certutil.exe in the login script? Thanks You're confusing some terms. "Autoenrollment" is a mechanism that allows machines and users to automatically enroll for their own certificates when they log onto the domain. You're describing something different: you want all your machines and users to have the sister site's CA certificate in their public stores so that they trust certificates from that CA. You don't use autoenrollment for that; instead, all you need to do is add that CA to your domain policy. As machine and user policies update themselves, they'll get the certificate in their stores.
http://technet2.microsoft.com/WindowsServer/en/library/4b7ea7f9-311a-479b-aecc-c856165b97c11033.mspx?mfr=true describes the procedure. ______________________________________________________ Steve Riley steve.ri***@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "TonyB" <tony.barr***@roke.co.uk> wrote in message news:u5y0IzD%23GHA.896@TK2MSFTNGP03.phx.gbl... I have been sent a certificate from a CA at a sister site that I want to be able to distribute to all clients in our local domain. I want the cert I have been sent to be auto-enrolled by our clients and placed in their 'Trusted Root Certificate Authoritites' container. CA (and subordinate CA) are Win2k3 native. Clients are XP and 2000. If I manually import the certificate, it works fine. I don't though seem to have any auto-enrollment control over imported certificates on our CA. Auto-enrollment options seem to be controlled through certificate templates that I configure and publish into A/D myself. Is there any way to acheive this, or do I have to resort to manual imports using certutil.exe in the login script? Thanks 
Other interesting topics
"Force shutdown from a remote system"
Event 26. Your computer may be infected. Changing process priorities of normal users security and pipes explained User Restictions on a Standalone Machine Unable to access file & print server Account membership changed/dissapeared off welcome screen Recover files after using Robocopy /mir command ISA 2000 ie |
|||||||||||||||||||||||
