Re: Auto-Enrollment of Certificates

From: Michiko Short [MSFT] (michikos_at_online.microsoft.com)
Date: 01/20/05

Next message: danny: "2005 NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS'05) IS FAST APPROACHING!"
Previous message: Keith Henrickson: "TLS and Smart Card"
In reply to: Priya: "Re: Auto-Enrollment of Certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 19 Jan 2005 16:33:45 -0800

The adminpak is available on your Windows Server 2003 CD. KB Q314978 tells
how to install on various versions.

Yes, you can use an enterprise CA to issue your certificates.

Anything else?

--
Michiko Short [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for 
newsgroup purposes only.
"Priya" <Priya@discussions.microsoft.com> wrote in message 
news:A0114F8E-2EDD-4318-9007-F959DECA84F9@microsoft.com...
> Thanks Michiko for you reply.
>
> What I understood from your reply is that I need to have an Active 
> Directory
> environment in my Windows XP OS and for that I need to install the
> Administration Tools Pack (Adminpak.msi). Correct me if I am wrong. Could 
> you
> please tell me from where can i install this Administration Tools Pack?
>
> And as you have mentioned "Auto-enrollment cannot be used to get certs 
> from
> third party CAs. If you wanted to use autoenrollment with the Verisign
> hiearchy then you would need to work with Verisign and deploy a Windows
> Server 2003 subordinate CA in your environment."
>
> After reading the white paper, especially - "Automatic enrollment of user
> certificates provides a quick and simple way to issue certificates to 
> users
> and to enable public key infrastructure (PKI) applications, such as smart
> card logon, Encrypting File System (EFS), Secure Sockets Layer (SSL),
> Secure/Multipurpose Internet Mail Extension (S/MIME), and others, within 
> an
> Active Directory directory service environment." So, i thought instead of
> getting certificates from third party CAs, we can get the certificates by
> using this. Please let me know if i am correct in thinking this.
>
> Please note: This all is in context to making a custom CSP.
>
> Thanks in advance.
>
> Regards,
> Priya.
>
>
> "Michiko Short [MSFT]" wrote:
>
>> Priya,
>> First, to answer your question about why you cannot see the Certificate
>> Templates snap-in. This is a Active Directory configuration, so assuming
>> your Windows XP system is part of an Active Directory environment, you 
>> need
>> to install the Administration Tools Pack (Adminpak.msi).
>>
>> This whitepaper describes how to use auto-enrollment with Windows Server
>> 2003 CAs. For this to work you need to have an Active Directory 
>> environment
>> using Windows Server 2003 issuing CAs and the workstations must belong to 
>> a
>> domain. This is explained under "Key Points" in "How Autoenrollment 
>> Works".
>>
>> Auto-enrollment cannot be used to get certs from third party CAs. If you
>> wanted to use autoenrollment with the Verisign hiearchy then you would 
>> need
>> to work with Verisign and deploy a Windows Server 2003 subordinate CA in
>> your environment.
>>
>> Did that answer your questions?
>> --
>> Michiko Short [MSFT]
>>
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>> Please do not send e-mail directly to this alias. This alias is for
>> newsgroup purposes only.
>>
>>
>> "Priya" <Priya@discussions.microsoft.com> wrote in message
>> news:50FFF9E9-4A82-4A6A-8BD6-A7075D5F3508@microsoft.com...
>> > Hello All,
>> >
>> > Below is a link, which is a white paper for Auto-enrollment of
>> > Certificates:
>> >
>> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
>> >
>> > I tried to follow the mentioned steps, but i didnot find Certiifcate
>> > template in the 'Add Standalone Snap-In', I can just see Certificates
>> > option
>> > there. Let me tell you that I have Windows XP OS. So, please let me 
>> > know
>> > how
>> > to go about it. Also, I wanted to know if this is an alternative to get
>> > the
>> > certificates for our CSPs from certain authorized organization like
>> > VeriSign.com.
>> >
>> > Thanks in advance.
>> >
>> > Regards,
>> > Priya.
>> >
>>
>>
>>

Next message: danny: "2005 NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS'05) IS FAST APPROACHING!"
Previous message: Keith Henrickson: "TLS and Smart Card"
In reply to: Priya: "Re: Auto-Enrollment of Certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

question on 5.5 to 2003mirgation process
... Then I Suppost SRS will replicate directory information between Exchange ... Install Windows Server 2003 on a new machine. ... Use the Windows Server 2003 Active Directory wizard to turn on the Active ...
(microsoft.public.exchange.setup)
Re: Outlook 2003 + Cant Publish to GAL
... Previously i was able to install new private keys then publish to GAL, ... Microsoft Office Outlook was unable to publish your certificates. ... MVP for Windows Server - Software Distribution ...
(microsoft.public.security)
Re: Windows for Unix
... Do not use SFU, use Windows Server 2003 R2, it has all of that upgraded and integrated into the core OS now. ... Have received a business requirement to install Windows for Unix services to allow integration between Linux servers running Redhat and Active Directory 2003. ...
(microsoft.public.windows.server.active_directory)
Object Picker error while adding user
... An error occurred attempting to create the Object Picker. ... Active Directory is not installed. ... server with windows server 2003 installed. ... going to try, is to install active ...
(microsoft.public.windows.server.setup)
Option Picker error while adding user
... An error occurred attempting to create the Object Picker. ... Active Directory is not installed. ... server with windows server 2003 installed. ... going to try, is to install active ...
(microsoft.public.windows.server.general)