Re: autoenrolment/certificate questions

Discussion in 'Wireless Networking' started by Shawn Corey [MSFT], Nov 16, 2004.

  1. Answers inline below


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at

    "Al Blake" <> wrote in message
    > We are using W2k3Ent to support auto-enrollment of machine certificates as
    > the basis of our EAP-TLS Wifi security. The process is working well but
    > due
    > to misunderstandings at the start of the project we have deviated from
    > 'best
    > practise'. I have a couple of questions as to what actions we should take
    > to
    > clean things up?
    > a) Becuase we misunderstood the way templates work we have been
    > autoenrolling all our domain laptops with the CA default 'computer'
    > certificate. If we now create our own version 2 template "workstation
    > certificate" that is only valid for client authentication, should we make
    > this new certificate supercede the built-in one or will this cause us
    > problems? Should we just wait for the built in one to expire on the
    > workstations?

    Supersedeing is the recomended way of doing this, the old certificates will
    still remain on the machine they will just be archived. If you want to
    completely remove the certificates I would suggest a CAPICOM logon script to
    search for the certs based on the Computer template and delete them

    > b) We have installed an Enterprise CA and a subordinate CA. The Enterprise
    > CA has been issuing all certificates so far but we want to load balance
    > and
    > provide redundancy in case it fails. How do we do this? Are we best
    > advised
    > to point *both* CAs at a shared configuration directory to they read the
    > same config.....or am I misunderstanding the shared config functionality?
    > Will the subordinate CA have the template definitions if we do this? How
    > can
    > we redirect the config directory after the CA has been installed (can it
    > be
    > one?)

    If you are using autoenrollment then the easiest way to "load balance" the
    CAs is to just configure them to issue the same templates and have the same
    security settings for the users allowed to enroll, admin ACLs can be
    different of course. When autoenrollment enrolls for a certificate it will
    randomly select a CA to enroll against, this should spread the requests
    farily evenly accross both CAs

    > c) We have 3 old root certificates that are not used by anything any more
    > (like I said we had a lot of changes over the course of this project).
    > They
    > are appearing in the local cert store of all the clients. How can we clean
    > this up? Should we expire them or delete them from the enterprise CA...and
    > if we do will they get removed from the clients?

    By 3 old root certificates do you mean you have renewed the CA 3 times, or
    that you have installed/uninstalled Root CAs that left those behind?
    If the old certficiates are from renewing the CA then you should leave them,
    they will not cause any harm and maybe needed when you least expect them :).
    If installing/uninstalling CAs has left those roots behind I would recomend
    checking out the PKI Health Tool from the Win2k3 reskit. The PKI Health Tool
    will let you see what certs are resident in your AD and allow you to delete
    the residue left behind by the CAs that are no longer present, this should
    clear the old CAs from your clients after AD replicates(if more than one DC)
    and group policy is refreshed on the clients.

    > Like I say - its all working but I'd like it a bit tidier! Any tips and/or
    > explations would be gratefully appreciated.
    > regards
    > Al Blake, Canberra, Australia
    Shawn Corey [MSFT], Nov 16, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Blake

    What type of Certificate server?

    Al Blake, Oct 11, 2004, in forum: Wireless Networking
    Al Blake
    Oct 11, 2004
  2. Progressiveabsolution

    Questions on Canon 300D and etc. questions regarding digital photography

    Progressiveabsolution, Mar 23, 2005, in forum: Digital Photography
    Frank ess
    Mar 24, 2005
  3. Patrick Michael

    Re: Questions....questions....questions

    Patrick Michael, Jun 16, 2004, in forum: A+ Certification
    Patrick Michael
    Jun 16, 2004
  4. gravz84
    Nov 13, 2007
  5. gravz84
    Jul 23, 2010