Re: Certificate Autoenrollment
From: Eduard Koller [MSFT] (eduardk_at_online.microsoft.com)
Date: 06/14/05
- Next message: Eduard Koller [MSFT]: "Re: Certificate Authority services on W2k forest"
- Previous message: ctowndu33: "Audit Account Management"
- In reply to: paulcerv: "Certificate Autoenrollment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Jun 2005 13:20:02 -0700
One of the reasons you may need a DC cert is for verification of smartcard
logons.
I don't see any reason for which you would want to prevent the DCs from
enrolling for certs.
However, if you really want to, you can remove the template from the list of
the templates your CA can issue. Yes, you can add it back later.
-- Eduard Koller[MS] This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "paulcerv" <paulcerv@discussions.microsoft.com> wrote in message news:7B9C837E-4E81-461D-ABA7-BEA534D8D635@microsoft.com... > Hoping someone might be able to enlighten me on this subject and correct > any > assumptions I am making that might be wrong. Thanks in advance. > > When you set up your CA you can specifiy in the capolicy.inf file which > pki > services you wish to provide to users/computers. Some of these, such as > basic EFS and Domain Controller, are set up for autoenrollment by default > as > defined in group policy. This is fine, except for when you want to limit > who/what can request the certificates. I have both basic EFS and Domain > Controller certificates being issued. I don't want to implement these > certificates yet and wish to controll the requests which are building up > in > my pending queue. I was able to modify the Autoenrollment setting in > Group > Policy for my Win2003 Domain Controllers to stop them from requesting > certificates, but the Win2000 DCs are still requesting and I have not > found > where the setting in group policy is to controll this. I can also remove > this template from the certificate store, but I read a warning that once > removed you cannot issue certificates based on the template anymore. Not > sure if this simply meant that a custom template definition would not be > available as I can't see any restriction that would keep me from adding it > back in after I removed it. This brings up the question, "Am I being a > paranoid control freak." Should I just allow the domain controllers to > request their certificates even though I have not implemented anything yet > based on those certs. Just a bit confused why MS would asssume this how > an > admin would want the default behavior. >
- Next message: Eduard Koller [MSFT]: "Re: Certificate Authority services on W2k forest"
- Previous message: ctowndu33: "Audit Account Management"
- In reply to: paulcerv: "Certificate Autoenrollment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
