View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0029 - Windows 2008 CA User and Computer Certificate Auto-Enrollment

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

The video walks you through steps to deploy user and computer digital certificates from Windows 2008 Certificate Authority (CA) server through auto-enrollment and Group Policy. This method allows you to automatically distribute certificates to your Windows users, which is very effective for a large scale security deployment that requires either or both user and machine authentication using client-based certificate such as EAP-TLS. This lab assumes you have existing Windows certificate server and Active Directory (AD) infrastructure.

Topic includes
  • Windows 2008 Certificate Server
  • Certificate Auto-Enrollment
  • Certificate Template

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

14 comments

is there a way to ensure the user certificate is installed to all computers the user logs into? in my experience the cert only installs once.

If the user GPO is setup properly by default, you should get user cert on each of the domain computer user log into. There shouldn't be special config you need to do.

I followed exactly the same steps to create my lab CA and certificate enrollment.
However, I realized that on the machine template you didn't add the fully distinguished name on the Subject tab. This was causing me issues in order to authenticate a device with ISE. Thanks for the video.

Thank you for sharing. May be it is a good idea to also select FQDN although we did not run into any issue on our ISE labs.

1- is that video using the SCEP ? or just we used group policy and we are not using the SCEP or NDES.?
2- is NDES are only used with Routers, ASA, any connect and other network devices or it can be used with Machines also.? please help

No SCEP, just GPO. SCEP is usually used by network devices or capable server. Computer should be joined to domain and get its certificate via GPO. Non-domain computer can request a cert through the web.

1-what exactly the windows server Roles, that i have to install to do the auto enrollment like that video ?
2-do i need to install the certificate authority web enrollment service in that video ?

You should only need CA role but it does not hurt to install the web enrollment. You need to make sure the Windows version is enterprise as well as the CA being an enterprise and not standalone CA. You can see how the CA was installed and configured on our cert videos.

http://www.labminutes.com/video/sec/Certificate

 

You should only need CA role but it does not hurt to install the web enrollment. You need to make sure the Windows version is enterprise as well as the CA being an enterprise and not standalone CA. You can see how the CA was installed and configured on our cert videos.

http://www.labminutes.com/video/sec/Certificate

 

what if logged in other user machine with my domain account, shall CA issue me certificate with my name and stored in other user machine.?

what if loggeed in other user machine, ??
what if logged in other user machine with my domain account, shall CA issue me certificate with my name and stored in other user machin

Once a user certificate is generated, it will follow the user regardless of the machine he/she logs into.

I follow this guide but the certs are not being pushed to the computer nor the users.
I tried to manually request the cert from within mmc, I see the cert template available, however when I click enroll I get the error: a required certificate in not its validity period when verifying against the current system clock or the timestamp in the signed file.
error parsing rewurest A required certificate is not within its validity period when verifying agains the current system clock or the timestamp in the signed file. 0x800b0101 ( -2146762495)

Can you verify that client system clock is the same as the server clock?