View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0029 - Windows 2008 CA User and Computer Certificate Auto-Enrollment

SEC0029 - Windows 2008 CA User and Computer Certificate Auto-Enrollment

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security

The video walks you through steps to deploy user and computer digital certificates from Windows 2008 Certificate Authority (CA) server through auto-enrollment and Group Policy. This method allows you to automatically distribute certificates to your Windows users, which is very effective for a large scale security deployment that requires either or both user and machine authentication using client-based certificate such as EAP-TLS. This lab assumes you have existing Windows certificate server and Active Directory (AD) infrastructure.

Topic includes
  • Windows 2008 Certificate Server
  • Certificate Auto-Enrollment
  • Certificate Template
Tag: 
windows
ca
certificate
auto-enrollment

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

14 comments

Submitted by rabidfan on Thu, 01/09/2014 - 14:27

is there a way to ensure the user certificate is installed to all computers the user logs into? in my experience the cert only installs once.

Submitted by admin on Fri, 01/10/2014 - 00:29

If the user GPO is setup properly by default, you should get user cert on each of the domain computer user log into. There shouldn't be special config you need to do.

Submitted by Roberto on Wed, 02/26/2014 - 22:12

I followed exactly the same steps to create my lab CA and certificate enrollment.
However, I realized that on the machine template you didn't add the fully distinguished name on the Subject tab. This was causing me issues in order to authenticate a device with ISE. Thanks for the video.

Submitted by admin on Thu, 02/27/2014 - 13:03

Thank you for sharing. May be it is a good idea to also select FQDN although we did not run into any issue on our ISE labs.

Submitted by sherief on Mon, 10/19/2015 - 09:22

1- is that video using the SCEP ? or just we used group policy and we are not using the SCEP or NDES.?
2- is NDES are only used with Routers, ASA, any connect and other network devices or it can be used with Machines also.? please help

Submitted by admin on Tue, 10/20/2015 - 22:27

No SCEP, just GPO. SCEP is usually used by network devices or capable server. Computer should be joined to domain and get its certificate via GPO. Non-domain computer can request a cert through the web.

Submitted by sherief on Mon, 10/19/2015 - 09:25

1-what exactly the windows server Roles, that i have to install to do the auto enrollment like that video ?
2-do i need to install the certificate authority web enrollment service in that video ?

Submitted by admin on Tue, 10/20/2015 - 22:30

You should only need CA role but it does not hurt to install the web enrollment. You need to make sure the Windows version is enterprise as well as the CA being an enterprise and not standalone CA. You can see how the CA was installed and configured on our cert videos.

http://www.labminutes.com/video/sec/Certificate

 

Submitted by admin on Tue, 10/20/2015 - 22:30

You should only need CA role but it does not hurt to install the web enrollment. You need to make sure the Windows version is enterprise as well as the CA being an enterprise and not standalone CA. You can see how the CA was installed and configured on our cert videos.

http://www.labminutes.com/video/sec/Certificate

 

Submitted by sherief on Wed, 10/21/2015 - 07:01

what if logged in other user machine with my domain account, shall CA issue me certificate with my name and stored in other user machine.?

Submitted by sherief on Wed, 10/21/2015 - 23:39

what if loggeed in other user machine, ??
what if logged in other user machine with my domain account, shall CA issue me certificate with my name and stored in other user machin

Submitted by admin on Thu, 10/22/2015 - 17:59

Once a user certificate is generated, it will follow the user regardless of the machine he/she logs into.

Submitted by Ditmar Tavares on Thu, 01/28/2016 - 09:07

I follow this guide but the certs are not being pushed to the computer nor the users.
I tried to manually request the cert from within mmc, I see the cert template available, however when I click enroll I get the error: a required certificate in not its validity period when verifying against the current system clock or the timestamp in the signed file.
error parsing rewurest A required certificate is not within its validity period when verifying agains the current system clock or the timestamp in the signed file. 0x800b0101 ( -2146762495)

Submitted by admin on Fri, 01/29/2016 - 20:30

Can you verify that client system clock is the same as the server clock?

Poll

Vote for the Next Video Series