Why enterprise root CA automatically isue certificates.

  • Thread starter Thread starter izael
  • Start date Start date
I

izael

Hi everyone, does anybody know if is there a way to make that
Microsoft win2000 Enterprise Root CA NOT automatically issue
certificates?

I want that an Administrator authorize any certificate request before
the certificate could be issued. I need to use an Enterprise root CA
because EAP-TLS only work with Enterprise CAs. Is it possible?

Thanks.
 
Microsoft win2000 Enterprise Root CA NOT automatically issue
certificates?

I want that an Administrator authorize any certificate request before
the certificate could be issued. I need to use an Enterprise root CA
because EAP-TLS only work with Enterprise CAs. Is it possible?

Thanks.
Click to expand...
You can change the default properties of the CA.

1) Open the Certification Authority
2) View the properties of the CA
3) View hte Policy module
4) Change the default Request Handling from using the ertificat etempalt
to set the certificate request status to pending.

Brian
 
Brian Komar said:
You can change the default properties of the CA.

1) Open the Certification Authority
2) View the properties of the CA
3) View hte Policy module
4) Change the default Request Handling from using the ertificat etempalt
to set the certificate request status to pending.

Brian
Click to expand...


Thaks Brian, but that procedure only works in a standalone CA. In an
Enterprise CA the optios is disabled, is ther a way to enable it?
 
Thaks Brian, but that procedure only works in a standalone CA. In an
Enterprise CA the optios is disabled, is ther a way to enable it?
Click to expand...
For an enterprise CA in Windows 2000, the default behavior is to base
the enrollment decision based on the DACL on the certificate template.
If you want to use pending of certificates, I recommend upgrading to the
win2k3 enterprise server running on enterprise edition.

Then, on a certificate template basis, you can choose to require CA
certificate manager approval for a specific certificate template.

With Windows 2000, the option is not available, as you have seen.

Brian
 
Brian Komar said:
For an enterprise CA in Windows 2000, the default behavior is to base
the enrollment decision based on the DACL on the certificate template.
If you want to use pending of certificates, I recommend upgrading to the
win2k3 enterprise server running on enterprise edition.

Then, on a certificate template basis, you can choose to require CA
certificate manager approval for a specific certificate template.

With Windows 2000, the option is not available, as you have seen.

Brian
Click to expand...


Thanks Brian!!!
 
Thanks Brian!!!
Click to expand...
Hi Izael,

Did some more digging with the product group, and here is a solution for
you.

The following will do the trick:
certutil -setreg policy\RequestDisposition +REQDISP_PENDINGFIRST net
stop certsvc net start certsvc

The certutil command will turn on the REQDISP_PENDINGFIRST but (0x100)
in the following REG_DWORD registry value:
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CAName>
\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy
\RequestDisposition
Use a minus sign instead of a plus sign to turn off the bit.

The U/I disables this setting for Enterprise because the template can
typically be used to control this behavior, and because some enrollment
clients may not be able to handle a pending response to an enrollment
request. Making this configuration change makes sense for an Enterprise
Root CA when there are one or more other Enterprise CAs available. You
should also configure the CA to not be able to issue certs for most
templates, so autoenroll clients don’t unnecessarily produce pending
requests.
We don't typically expect a Root CA to be installed as an Enterprise CA,
when a hierarchy of CAs are available in the forest. In such a case, we
would expect the root CA to be installed as an offline Standalone CA in
a physically secure environment with no network access, unless security
was not a major concern.

For more information on why we recommend the offline root, see
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/
operate/ws3pkibp.asp

Brian
 
Back
Top