Re: Issuing Web Browser digital certificates

From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 10/28/05


Date: Thu, 27 Oct 2005 22:06:07 -0500

In article <1130463549.125111.8520@f14g2000cwb.googlegroups.com>,
william.a.hunter@gmail.com says...
> Hello ..
> My company would like to have an offline Windows Server 2003 standalone
> Certificate Authority. This CA would issue SSL certificates for an
> Extranet. Users would either be sent a certificate to install or a tech
> from or company would visit each client and perform the install.
>
> My issue is that I am only aware of using the certsrv web that comes
> with certificate services to request and install certificates for web
> browsing. I am really not sure how to initiate a request at our offline
> CA server on behalf of each user, how to generate the file, and how to
> install the file in their personal certificate store in Internet
> Explorer manually.
>
> I know this isn't the most secure thing to do .. using the web based
> certificate request/install is the best idea, however, they'd like the
> server to be offline, and have techs install the certificates in each
> users profile manually. Any ideas on what I need to do? I looked at
> certreq.exe but was having issues with the policy.inf file.
>
> Any advice or info is appreciated.
>
> Thanks!
> william.a.hunter@gmail.com
>
>
Have the Web servers generate their Web Server certificate requests, and
then forward the PKCS#10 request files (.req or .txt) to a person with
access to the Web server. Then submit the request using the Web
enrollment pages (http://webserver/certsrv).
For IIS, this can be done in the IIS wizard by choosing to submit the
request to a commercial or offline CA.

The request would be pended by default. The certificate can then be
issued and the released certificate exported to a Base64 file for
installation at the Web server.

This will work for most Web servers out there, including non-IIS
servers.

You will have to do more though:
- Make sure that the offline root is added to the trusted root store of
all clients and web servers that will connect to the Web server
- Ensure that the web server's CRL is published to an online server.

HTH,
Brian