Autoenrollment of Certificate

  • Thread starter Thread starter TonyB
  • Start date Start date
T

TonyB

I have been sent a certificate from a CA at a sister site that I want to be
able to distribute to all clients in our local domain. I want the cert I
have been sent to be auto-enrolled by our clients and placed in their
'Trusted Root Certificate Authoritites' container. CA (and subordinate CA)
are Win2k3 native. Clients are XP and 2000.

If I manually import the certificate, it works fine. I don't though seem to
have any auto-enrollment control over imported certificates on our CA.
Auto-enrollment options seem to be controlled through certificate templates
that I configure and publish into A/D myself.

Is there any way to acheive this, or do I have to resort to manual imports
using certutil.exe in the login script?

Thanks
 
You're confusing some terms. "Autoenrollment" is a mechanism that allows machines and users to automatically enroll for their own certificates when they log onto the domain. You're describing something different: you want all your machines and users to have the sister site's CA certificate in their public stores so that they trust certificates from that CA. You don't use autoenrollment for that; instead, all you need to do is add that CA to your domain policy. As machine and user policies update themselves, they'll get the certificate in their stores.

http://technet2.microsoft.com/Windo...311a-479b-aecc-c856165b97c11033.mspx?mfr=true describes the procedure.

______________________________________________________
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


I have been sent a certificate from a CA at a sister site that I want to be
able to distribute to all clients in our local domain. I want the cert I
have been sent to be auto-enrolled by our clients and placed in their
'Trusted Root Certificate Authoritites' container. CA (and subordinate CA)
are Win2k3 native. Clients are XP and 2000.

If I manually import the certificate, it works fine. I don't though seem to
have any auto-enrollment control over imported certificates on our CA.
Auto-enrollment options seem to be controlled through certificate templates
that I configure and publish into A/D myself.

Is there any way to acheive this, or do I have to resort to manual imports
using certutil.exe in the login script?

Thanks
 
Back
Top