Re: Shared Certificate Store in Active Directory

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 12/25/03 

Date: Thu, 25 Dec 2003 06:59:39 -0800

There is no need to store IPSEC certs in the AD for IPSEC, the certs are
exchanged as part of the IKE negotiation. Same thing for SSL/TLS. The
case where a lokkup is needed is when encryption is used such as in S/MIME.
IN that case the certificate is stored on the user object on an attribute
known as userCertificate. 

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Steve Buckley" <anonymous@discussions.microsoft.com> wrote in message
news:00f001c3ca6f$31554bc0$a601280a@phx.gbl...
> WARNING - This question is not as easy as it may first
> seem, this is a repost of a question originally asked in
> the Active Directory forum.
>
> How do you configure a "Shared Certificate Store" in
> Active Directory so you can make Certificates and their
> associated Public Keys available to members of the
> Enterprise, for example to enable IPSec encryption using
> Certificates rather than Kerberos?
>
> They are clearly stored *somewhere* already as they are
> visible against the user/machine accounts in the Active
> Directory Users & Computers MMC.
> The CDP container only contains the CRL object - where is
> the actual store and how do you set permissions on it?
> Or do you have to create one somehow?
>
> I have been puzzeling over this one for a good 6 months -
> if someone comes back to me with click on "Allow
> certificates to be published in Active Directory" I'll
> slap them for not reading my question.
> .
>
> The answer to this question does not appear to be in any
> of the Microsoft Security MCSE core texts or Technet.

Relevant Pages

  • Re: Active Directory User Object certificate store to personal certificate store
    ... Active Directory doesn't store private keys. ... the keys and certificates are stored in the user profile - you can ... > Is there a way to move AD published certs to from the Active Directory ... I can see the certs in the AD User Object cert store for ...
    (microsoft.public.windows.server.security)
  • Re: The art of negotiation and trust in IPSEC
    ... They would need to be ipsec certificates or possibly machine certificates as ... IPSEC to confirm the validity of the Cert on the remote endpoint? ... > (or preshared key)) to authenticate/validate the enpoints of the IPSEC ...
    (microsoft.public.win2000.security)
  • RE: EAP-TLS Client enrollment recovery.
    ... the private keys are not restored when you ... only restore the certificates. ... store in order to extract certificates and keys from it and then putting them ...
    (microsoft.public.platformsdk.security)
  • Re: IPSEC wireless router ?
    ... > The main advantage of IPSec is the Sec part, ... digital certificates issued by these organizations called certification ... SSL implementation at the time was one-way authentication between the ... supporting digital signature authentication ... ...
    (alt.internet.wireless)
  • Re: IPSEC with non-domain Server
    ... Certificates are not the "most secure", rather, they are one of the 2 "more ... > authenticate computers and protect traffic integrity and confidentiality ... > Attacks on IPSec and Other Security Concerns ...
    (microsoft.public.security)