Re: CA auto-enrollment policies with Windows 2003

Yes you need to have your enterprise CA installed on Windows 2003 Server
Enterprise Edition in order to use type 2 templates and autoenrollment for
users and computers. It is possible to use a CA installed on Windows 2000 or
Windows 2003 Server to still use "automatic request" in Group Policy to
issue computer certificates to domain computers.

The CRL's will be published to what is configured in the policy module of
the CA that is available via Certificate Authority Management Console and by
default both Active Directory and http will be specified and included on
issued certificates. Since you want to change the location to http it is
important to do that before you issue any certificates. I believe that
domain computers will try to use Active Directory first to locate the CRL.

I highly recommend that you buy Windows Server 2003 PKI Certificate Security
by Brain Komar. It is an excellent book and answers all of your questions
and will have a lot of other important info that you will want to know about
PKI. --- Steve



"JimMatelski" <JimMatelski@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E01E374B-A717-46E2-90C8-619604A34D2A@xxxxxxxxxxxxxxxx
> Our company is planning an internal PKI infrastructure. As part of the
> deployment internall generated SSL certificates will be created as well as
> computer certificates assigned to eash workstation. According to page 5
> of
> teh "Best Practices for Implementing a Microsoft Windows Server 2003
> Public
> Key Infrastructure Guide" you need to have Windows 2003 Enterprise edition
> installed on the issuing CAs in order to deploy auto-enrolled user and
> computer certificates to the workstation. Is this correct?
>
> Second, since we will be installing the certificate services onto the
> existing domain controllers we really don't want to also install IIS on
> them
> as well. Instead we would like to install the certificate website on a
> separate internal web server. For a subordinate (issuing) Enterprise CA
> will
> the Certificate Revocation List (CRL) be published first to AD and second
> to
> the website? Will AD enabled workstations perform a LDAP querey to AD
> before
> looking to the web server as the distribution point? How does one
> manually
> configure this for separate servers? I'm assuming this is contained
> within
> the certificate and not controlled through group policy.


.

Relevant Pages

  • Re: after installing KB011829 OWA is not working anymore
    ... Windows Vista or IE 7.0 no longer includes support for the ActiveX control ... The resolution for this issue is to install hotfix KB 911829. ... and to the back-end server. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.exchange.connectivity)
  • RE: RRAS Wizard failure
    ... SBS, now, you can jump over the Windows server 2003 sp1 installation." ... we do not recommend customer to install windows server 2003 sp2 ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: Service pack version
    ... I understand that the SBS 2003 BPA suggests ... Now, you had installed Windows Server 2003 sp2 on your SBS, and the SBS ... It is recommended to install the Windows Server 2003 sp2 after install the ...
    (microsoft.public.windows.server.sbs)
  • Re: Fax on Terminal Server from SBS2K3
    ... please make sure the Fax service is installed on the TS server. ... you can try the steps below to install Shared Fax Client: ... 248340 Installing and Using Programs in Windows 2000 Terminal Services ...
    (microsoft.public.windows.server.sbs)
  • RE: Remote Access Wizard Error
    ... please let me know the detail version of your SBS. ... please go through the following document to install SBS 2003 sp1: ... Downloading and Installing Windows Small Business Server 2003 Service Pack 1 ...
    (microsoft.public.windows.server.sbs)