Re: Issuing Web Browser digital certificates

From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 10/28/05


Date: Thu, 27 Oct 2005 22:06:07 -0500

In article <1130463549.125111.8520@f14g2000cwb.googlegroups.com>,
william.a.hunter@gmail.com says...
> Hello ..
> My company would like to have an offline Windows Server 2003 standalone
> Certificate Authority. This CA would issue SSL certificates for an
> Extranet. Users would either be sent a certificate to install or a tech
> from or company would visit each client and perform the install.
>
> My issue is that I am only aware of using the certsrv web that comes
> with certificate services to request and install certificates for web
> browsing. I am really not sure how to initiate a request at our offline
> CA server on behalf of each user, how to generate the file, and how to
> install the file in their personal certificate store in Internet
> Explorer manually.
>
> I know this isn't the most secure thing to do .. using the web based
> certificate request/install is the best idea, however, they'd like the
> server to be offline, and have techs install the certificates in each
> users profile manually. Any ideas on what I need to do? I looked at
> certreq.exe but was having issues with the policy.inf file.
>
> Any advice or info is appreciated.
>
> Thanks!
> william.a.hunter@gmail.com
>
>
Have the Web servers generate their Web Server certificate requests, and
then forward the PKCS#10 request files (.req or .txt) to a person with
access to the Web server. Then submit the request using the Web
enrollment pages (http://webserver/certsrv).
For IIS, this can be done in the IIS wizard by choosing to submit the
request to a commercial or offline CA.

The request would be pended by default. The certificate can then be
issued and the released certificate exported to a Base64 file for
installation at the Web server.

This will work for most Web servers out there, including non-IIS
servers.

You will have to do more though:
- Make sure that the offline root is added to the trusted root store of
all clients and web servers that will connect to the Web server
- Ensure that the web server's CRL is published to an online server.

HTH,
Brian



Relevant Pages

  • RE: General Certificate Question
    ... On the "Web Server Certificate" page, choose "Create a new Web server ... If you do not run SBS, please repost your issue in Windows server newsgroup ...
    (microsoft.public.windows.server.sbs)
  • Re: Issuing Enterprise Subordinate CA - Why not a DC?
    ... You will have to prep the offline CA before it issues any ... CRL and CA certificate and applications could fail if not available. ... is no need to ever put an offline CA on the network. ... >> server and operating system is not cheap for many businesses. ...
    (microsoft.public.windows.server.security)
  • Re: IIS 5.0 Certificate
    ... Your Web server do not send out private key. ... Review this kb on how to use Cert Server with IIS ... Using Certificate Server 2.0 to Generate a Server Certificate for Use with ...
    (microsoft.public.inetserver.iis.security)
  • IIS 6 Directory Services Mapping ACL Problems
    ... We are trying to configure certificate based logins using the ... When I authenticate on our web server with my certificate I my domain ... account username shows up in the web log. ... The files are stored on another server in the domain. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Secure automation?
    ... To provide secured web services, a server SSL certificate is ... The downside with this is that the web server will ask ... To be able to verify a server certificate, a web browser needs to ...
    (comp.security.unix)