Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Certificate Problems using a Standalone Root CA & Ent Subordinate CA

Status
Not open for further replies.
Dannyrae74

Dannyrae74

Technical User
Nov 28, 2006
15
GB
Hi,

I'm trying to follow MS best practices by installing a Standalone Root CA on a workgroup server then an Enterprise Subordinate CA on a member server.

I've installed both CA servers and issued a certificate from the Root CA to the Enterprise Subordinate CA, but the Enterprise Subordinate CA won't autoenroll\issue certificates to Domain Controllers??

Is there a step I've missed or something I need to do on the Root CA to enable this?

All suggestions welcome.

Thanks inadvance.

Daniel
 
Sort by date Sort by votes
One of the enhancements for Server 2003 was certificates that could be automatically enrolled. Autoenrollment is available only on VERSION 2 certficates. All certificate available on a new installation of the Certificate Server are by default version 1, which do NOT support autoenrollment. Open up the appropriate certificate, save as with a different name and set it up for autoenrollment and you should be good to go. Also make sure your group policy fo the domain OU is set for autoenrollment. I can't remember the default settings right now.

Default Domain Controller Policy -> Windows Settings -> Security Settings -> Public Key Policy and select the "Enroll certificates automatically" and the first check box underneath.
 
Upvote 0 Downvote
And to use Version 2 Templates, you need Server 2003 Enterprise Edition. V2 certificates are not available on CAs running 2003 Standard edition. I would recommend 2008. I don't think it has the same requirements.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Forgot to mention... You don't need Version 2 certificates if you are only issuing certs to computers. Use the "Automatic Certificate Request Settings" policy to allow computers to automatically acquire version 1 based certificates.

If you need to enroll users for EFS or other purposes, then you will need the version 2 based certificates and 2003 Enterprise.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
226
DTGMI
DTGMI
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
195
DeepuM
DeepuM
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
440
gbaughma
gbaughma
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
489
mangentle
mangentle
maybeimaleo
  • Locked
  • Question
Is There a Best Windows OS to Upgrade a CA Server to?
Replies
5
Views
151
maybeimaleo
maybeimaleo

Part and Inventory Search

Sponsor

Back
Top