Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Wireless Networking > Re: autoenrolment/certificate questions

Thread Tools

Re: autoenrolment/certificate questions

Shawn Corey [MSFT]
Posts: n/a
Answers inline below


This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at

"Al Blake" <(E-Mail Removed)> wrote in message
news:%23FS$(E-Mail Removed)...
> We are using W2k3Ent to support auto-enrollment of machine certificates as
> the basis of our EAP-TLS Wifi security. The process is working well but
> due
> to misunderstandings at the start of the project we have deviated from
> 'best
> practise'. I have a couple of questions as to what actions we should take
> to
> clean things up?
> a) Becuase we misunderstood the way templates work we have been
> autoenrolling all our domain laptops with the CA default 'computer'
> certificate. If we now create our own version 2 template "workstation
> certificate" that is only valid for client authentication, should we make
> this new certificate supercede the built-in one or will this cause us
> problems? Should we just wait for the built in one to expire on the
> workstations?

Supersedeing is the recomended way of doing this, the old certificates will
still remain on the machine they will just be archived. If you want to
completely remove the certificates I would suggest a CAPICOM logon script to
search for the certs based on the Computer template and delete them

> b) We have installed an Enterprise CA and a subordinate CA. The Enterprise
> CA has been issuing all certificates so far but we want to load balance
> and
> provide redundancy in case it fails. How do we do this? Are we best
> advised
> to point *both* CAs at a shared configuration directory to they read the
> same config.....or am I misunderstanding the shared config functionality?
> Will the subordinate CA have the template definitions if we do this? How
> can
> we redirect the config directory after the CA has been installed (can it
> be
> one?)

If you are using autoenrollment then the easiest way to "load balance" the
CAs is to just configure them to issue the same templates and have the same
security settings for the users allowed to enroll, admin ACLs can be
different of course. When autoenrollment enrolls for a certificate it will
randomly select a CA to enroll against, this should spread the requests
farily evenly accross both CAs

> c) We have 3 old root certificates that are not used by anything any more
> (like I said we had a lot of changes over the course of this project).
> They
> are appearing in the local cert store of all the clients. How can we clean
> this up? Should we expire them or delete them from the enterprise CA...and
> if we do will they get removed from the clients?

By 3 old root certificates do you mean you have renewed the CA 3 times, or
that you have installed/uninstalled Root CAs that left those behind?
If the old certficiates are from renewing the CA then you should leave them,
they will not cause any harm and maybe needed when you least expect them .
If installing/uninstalling CAs has left those roots behind I would recomend
checking out the PKI Health Tool from the Win2k3 reskit. The PKI Health Tool
will let you see what certs are resident in your AD and allow you to delete
the residue left behind by the CAs that are no longer present, this should
clear the old CAs from your clients after AD replicates(if more than one DC)
and group policy is refreshed on the clients.

> Like I say - its all working but I'd like it a bit tidier! Any tips and/or
> explations would be gratefully appreciated.
> regards
> Al Blake, Canberra, Australia

Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Few Questions (HW questions already answered by me) C Programming 10 12-06-2006 05:48 PM
Malloc and free questions - learner questions pkirk25 C Programming 50 10-04-2006 02:22 PM
Questions on Canon 300D and etc. questions regarding digital photography Progressiveabsolution Digital Photography 12 03-24-2005 05:18 PM
Newbie questions - Couple of VC++ questions regarding dlls and VB6 Ali Syed C Programming 3 10-13-2004 10:15 PM
Re: Questions....questions....questions Patrick Michael A+ Certification 0 06-16-2004 04:53 PM