Re: Computer Certificate using Web enrollment

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 08/25/05 

Date: Thu, 25 Aug 2005 16:02:19 -0500

In article <UPydnYIWz55_G5DeRVn_vA@giganews.com>, manuellee@cableonda-
dot-net.no-spam.invalid says...
> I have a standalone root certificate, and IIS6.0 installed. I´m
> currently trying to deploy computer certificates, and eventhough I´m
> able to do this using active directory or the cert manager console, I
> want to deploy the computer certificates using IIS6.0.
>
> The issue is that when i log into the Webpage and select advanced
> certificate request, in the certificate templates there is no option
> for computer certificate.
>
> I have run the certutil and verified that the machine certificate is
> set for deploy. What should i do?
>
>
The reason is that the Web enrollment requests are performed in the
security context of the user, not the computer. The computer has enroll
permissions and not the user. Even if the user were assigned the Read
and Enroll permissions, there is no DNS name in their user account to
populate the subject of the certificate.

You must enable the Offline templates or create a v2 template that
enables the user to provide the subject in the request. This will allow
the user to type the DNS name of the computer and then submit the
request from the Web interface (if they have Read and Enroll permissions
for the cert and are a local Administrator on the computer to install it
in the machine store)

Brian 

-- 
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian

Relevant Pages

  • Re: Change public domain name for E-mail and Web on SBS2003
    ... self-cert from everything while the request was being processed. ... I need to change the e-mail addresses, and the SSL certificate to match ... just run the Connect to the Internet Wizard ... request and install the new SSL Cert? ...
    (microsoft.public.windows.server.sbs)
  • RE: 3rd Party Certificate Pending Request not found
    ... This request may be canceled. ... After much trial and tribulation the 3rd party GoDaddy certificate started ... You are attempting to install a certificate that does not match the private ... If you have a backup of the private key, you can install the certificate via ...
    (microsoft.public.windows.server.sbs)
  • Re: Installing an existing GoDaddy SSL on another SBS box....
    ... Certificate' and then 'Assign an existing certificate'. ... I've got a functional GoDaddy SSL cert installed and working on my ... vanilla install so far. ... I got an error that there was no pending request for the ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to install Godaddy cert on SBS R2 Standard box
    ... When you receive the file from Godaddy it is in a .crt file and Windows is looking for a .cer. ... "Please create a new request,and request for a new certificate from ... Godaddy(issue a new certificate),then install the new certificate. ...
    (microsoft.public.windows.server.sbs)
  • Re: Computer and User Certificates Issues
    ... Enrollment of User Certificates using the custom v2 User Certificate Template ... I can NOT request the custom v2 Computer Cert nor the included v1 no ... Concerning permissions, these are the exact permissions I am using now: ...
    (microsoft.public.security)