Re: Re-enrollment of Certificate on Win 2000
From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 07/19/05
- Next message: dx505_at_yahoo.co.jp: "RPC service property"
- Previous message: Jarryd: "VPN Security."
- In reply to: Eduard Koller [MSFT]: "Re: Re-enrollment of Certificate on Win 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Jul 2005 06:21:49 -0500
The enroll.vbs script is not intended for high value certificates that
require certificate manager approval. In fact, autoenrollment in Windows
XP is not intended for the scenario that you describe.
If you are requiring CA certficate manager approval with the Windows
Server 2003 PKI, the enrollment should be performed through the Web
Enrollment Pages so that the user can check back on the status of their
renewal request.
If your requirement is to ensure that the correct user has the VPN
authentication certificate, then autoenrollment should not really be
used in the issuance process.
Brian
In article <OS5x0UAjFHA.2180@TK2MSFTNGP15.phx.gbl>,
eduardk@online.microsoft.com says...
> Subject: Re: Re-enrollment of Certificate on Win 2000
> From: Eduard Koller [MSFT] <eduardk@online.microsoft.com>
> Newsgroups: microsoft.public.windows.server.security
>
> 1) When you check the "requires CACertificate Manager approval" checkbox,
> all the cert requests will get pended, and will need to be issued by the CA
> admin
> 2) No, I'm not aware of any way of doing this
> 3) Yes, this is normal. And yes, you should leave the expired certificate
> listed in the Issued certificates (you cannot delete them from there
> anyway...)
>
>
> --
> Eduard Koller[MS]
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Nancy Kafer" <nkafer@homesteaderslife.com> wrote in message
> news:OQSe0Z1eFHA.4040@TK2MSFTNGP14.phx.gbl...
> >I am relatively new to PKI and am working with renewing certificates. I
> >have
> > a Win 2K3 Enterprise Edition server as my CA. I also have approximately 30
> > laptops (running Windows 2000) with VPN certificates. These certificates
> > are
> > set to expire during the next few months. I know that if I was running Win
> > XP my certificates could auto-reenroll. However, I know that I have to use
> > a
> > script to renew my Win 2K machines. I have taken a copy of the Enroll.vbs
> > script from the "Windows Server 2003 PKI Certificate Security" manual and
> > modified it to account for our environment.
> >
> > I have a few of questions about renewing certificates:
> >
> > 1) I have the issuance requirements on my VPN certificate set to "CA
> > Certificate Manager approval" for enrollment and checked "Valid existing
> > certificate" for re-enrollment. My issue is that when I run the enroll.vbs
> > script my certificate request gets pended instead of automatically issuing
> > a
> > renewal. So then my script fails. I have made sure that I am specifying
> > /renew as a command line parameter on my cscript command. When I uncheck
> > the
> > "CA Certificate Manager" checkbox and re-run the enroll.vbs script my
> > certificate is issued. Why will the script not automatically renew my
> > certificate when this box is checked? Is the re-enrollment requirement
> > only
> > valid for Win XP? I really don't want to uncheck this box because it is a
-- == Brian Komar MVP - Windows - Security http://www.identit.ca/blogs/brian
- Next message: dx505_at_yahoo.co.jp: "RPC service property"
- Previous message: Jarryd: "VPN Security."
- In reply to: Eduard Koller [MSFT]: "Re: Re-enrollment of Certificate on Win 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
