Re: Shared Certificate Store in Active Directory
From: Steve BUckley (anonymous_at_discussions.microsoft.com)
Date: 12/27/03
- Next message: Paul Lynch: "Re: Best Way to Change Password via the Web?"
- Previous message: Steven L Umbach: "Re: Open Ports"
- In reply to: David Cross [MS]: "Re: Shared Certificate Store in Active Directory"
- Next in thread: Brian Komar : "Re: Shared Certificate Store in Active Directory"
- Reply: Brian Komar : "Re: Shared Certificate Store in Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Dec 2003 14:46:04 -0800
An interesting observation and is how I originally
figured it worked, however it appears to not be entirely
the case, how do you set up a "Shared Certificate Store",
is the error a bug in the group policy object?
It would make sense to have a shared store so
applications can directly access Certificates & Public
Keys that are trusted/validated through AD and if you try
to enforce Certificates Based Encryption via Group Policy
using the Local Security Policy keys you are warned:
******************************************************
Warning!
The Active Directory does not contain a shared
certificate store.
When configuring Active Directory based IPSec policy to
use certificate authentication the administrator must
ensure that each domain member has an appropriate
certificate installed.
Do you want to select a certificate authority from the
local machine certificate store?
********************************************************
There is also the option in the Output Module of the
Cetificate server to publish in Active Directory, however
checking this box "appears" to not do anything - maybe it
just associates the certificate with the user object, but
then again it does this without the box ticked as well.
What is you interpretation of the above error/warning
message?
>-----Original Message-----
>There is no need to store IPSEC certs in the AD for
IPSEC, the certs are
>exchanged as part of the IKE negotiation. Same thing
for SSL/TLS. The
>case where a lokkup is needed is when encryption is used
such as in S/MIME.
>IN that case the certificate is stored on the user
object on an attribute
>known as userCertificate.
>
>--
>
>
>David B. Cross [MS]
>
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>http://support.microsoft.com
>
>"Steve Buckley" <anonymous@discussions.microsoft.com>
wrote in message
>news:00f001c3ca6f$31554bc0$a601280a@phx.gbl...
>> WARNING - This question is not as easy as it may first
>> seem, this is a repost of a question originally asked
in
>> the Active Directory forum.
>>
>> How do you configure a "Shared Certificate Store" in
>> Active Directory so you can make Certificates and their
>> associated Public Keys available to members of the
>> Enterprise, for example to enable IPSec encryption
using
>> Certificates rather than Kerberos?
>>
>> They are clearly stored *somewhere* already as they are
>> visible against the user/machine accounts in the Active
>> Directory Users & Computers MMC.
>> The CDP container only contains the CRL object - where
is
>> the actual store and how do you set permissions on it?
>> Or do you have to create one somehow?
>>
>> I have been puzzeling over this one for a good 6
months -
>> if someone comes back to me with click on "Allow
>> certificates to be published in Active Directory" I'll
>> slap them for not reading my question.
>> .
>>
>> The answer to this question does not appear to be in
any
>> of the Microsoft Security MCSE core texts or Technet.
>
>
>.
>
- Next message: Paul Lynch: "Re: Best Way to Change Password via the Web?"
- Previous message: Steven L Umbach: "Re: Open Ports"
- In reply to: David Cross [MS]: "Re: Shared Certificate Store in Active Directory"
- Next in thread: Brian Komar : "Re: Shared Certificate Store in Active Directory"
- Reply: Brian Komar : "Re: Shared Certificate Store in Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
