Re: Create certificates with CA

From: D. Cross [MS] (vaq130@hotmail.com)
Date: 05/30/02

Next message: D. Cross [MS]: "Re: Former Install Encryption Cracking"
Previous message: D. Cross [MS]: "Re: Certificate templates"
In reply to: Rob Oldfield: "Create certificates with CA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "D. Cross [MS]" <vaq130@hotmail.com>
Date: Thu, 30 May 2002 06:37:21 -0700

1. The CA does impersonation and requires authentication on the web page if
you are using an enterprise CA - this prevents one user from getting a cert
in another users name.

2. This is a little tricky, but I recommend using a standalone CA for this
purpose which does not require authentication. You can create the cert for
that user in their name and then export the cert as a *.pfx file and give to
him to install.

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Rob Oldfield" <rob@@realuk..co..uk> wrote in message
news:uVPNoKwBCHA.2444@tkmsftngp05...
> Hi all,
>
> I have set up CA on one of my servers and everything is working fine,
> but....
>
> At the moment the only method I have of getting a certificate to a user is
> to get their machine to browse to CertSrv and request a cert.  I can then
> view that request and issue or deny.  What happens, though, if a malicious
> user browses to CertSrv and simply fills in the details from somebody
else?
>
> I see two ways of getting around this, but I'm not sure if either is
> possible..
>
> 1)  Is there some way of checking on the request?  Specifically, is there
> some way of finding out the IP that the request originated from?
>
> 2)  Is there any way of issuing a certificate for a particular user
locally.
> The idea being that if I want to grant John Smith access, I create a
> certificate for him and mail it to him.  He can then install it.
>
> Any ideas?
>
>

Next message: D. Cross [MS]: "Re: Former Install Encryption Cracking"
Previous message: D. Cross [MS]: "Re: Certificate templates"
In reply to: Rob Oldfield: "Create certificates with CA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Unable to install Godaddy cert on SBS R2 Standard box
... I recently bought a ten year Turbo SSL cert, but I want to rebuild my server ... "Please create a new request,and request for a new certificate from ... Godaddy(issue a new certificate),then install the new certificate. ...
(microsoft.public.windows.server.sbs)
Re: how can we restrict what certificate WSE will use?
... the valid x509 certificate which is used to identify him'. ... X509SecurityTokenManager to verify the request is from a trusted client. ... the problem is that he can not passed the authentication (suppose we ... > decrypte and signature validation process. ...
(microsoft.public.dotnet.framework.webservices.enhancements)
RE: Recovery agent for EFS, how can i get it done PLEASE HELP
... How are you requesting the Cert? ... > enterprise admins still cant request cert everytime i request i get this ... > The certificate cannot be installed because of one or more of the following ... >>> Recovery and cannot be added as a recovery agent. ...
(microsoft.public.windows.server.active_directory)
RE: Wireless connection problem from XP Pro SP2 to SBS 2003
... I go to request a certificate. ... I went ahead and requested a User cert, ... This computer can connect to other wireless networks without problems. ...
(microsoft.public.windows.server.sbs)
RE: 802.1x Authentication Fails
... Ive deleted teh certificate and tried to request a new one. ... Im making the request from the IAS server to the Enterprise CA server. ... Reason = The authentication request was not processed because the ...
(microsoft.public.internet.radius)