Shared Certificate Stores in Active Directory

[Steve Buckley]

WARNING - This question is not as easy as it may first
seem.

How do you configure a "Shared Certificate Store" in
Active Directory so you can make Certificates and their
associated Public Keys available to members of the
Enterprise, for example to enable IPSec encryption using
Certificates rather than Kerberos?

They are clearly stored *somewhere* already as they are
visible against the user/machine accounts in the Active
Directory Users & Computers MMC.
The CDP container only contains the CRL object - where is
the actual store and how do you set permissions on it?
Or do you have to create one somehow?

I have been puzzeling over this one for a good 6 months -
if someone comes back to me with click on "Allow
certificates to be published in Active Directory" I'll
slap them for not reading my question.

 

[Chriss3]

Do you have the Certification Authority up?
i think you are enabled to share certs with the enterpise there.

//Christoffer Andersson

 

[Stev Buckley]

Yes - the CA is fully functional, always has been except
there is no publicly shared certificate store that I know
of - have you ever done this? It appears to be manditory
if you want to use group policy to enable Certificate
based IPSec effectively, otherwise you have to specify
the local store and manually distribute certificates to
participating machines.
I have set this up on 4-5 different systems and there is
still no certificate store visible in AD - the CDP object
just contains the Certificate Revocation List, yet the
certificates are associated with the user and computer
accounts in AD and are visible from a DC even when the CA
is physically turned off.
Where are the actual certificates visible in AD in your
implimentations?

 

[Chriss3]

You can Publish the Certs you want with a Group Policy.

//Christoffer Andersson

 

[Chriss3]

You can assign Certs by Group Policy

//Christoffer Andersson

 

[Guest]

No I can't publish them via group policy because I do not
appear to have a "Shared Certificate Store" - this is the
whole point of this question. When I try to specify a
group policy I get the error message
******************************************************

Warning!
The Active Directory does not contain a shared
certificate store.

When configuring Active Directory based IPSec policy to
use certificate authentication the administrator must
ensure that each domain member has an appropriate
certificate installed.

Do you want to select a certificate authority from the
local machine certificate store?

********************************************************
This has occured on every instance I have set up on
2000/2003, there being now 5 of them in total - hence I
have never got Certificates based IPSec to function
Automatically through group policy, manually is fine,
just use the certificates MMC on each machine to request
a Machine IPSec Certificate and configure auto-updating.