Solved

How do Internet users obtain certificates from an Internal CA?

Posted on 2007-11-30
10
266 Views
Last Modified: 2013-12-04
I want is to use certs as an authentication system. If the client doesnt have a cert issued by the CA they dont get in. I understan the IIS configuration (i think), but how do they get the certs from the ca without having to request one (ie. without going through the /certsrv process)? Can I create a cert and send it to them?? I dont want to rely on a public ca system like Verisign. CAN IT BE DONE???
0
Comment
Question by:lesmydad
  • 5
  • 4
10 Comments
 
LVL 18

Expert Comment

by:PowerIT
ID: 20380721
Is this server or client authentication?

J.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20380782
I'm assuming the client computers are not a part of your domain? First you need to install the root CA cert in the trusted root certification authorities store on each client computer:
http://technet2.microsoft.com/windowsserver/en/library/758c0043-17db-44b4-aad1-f23318acdd691033.mspx?mfr=true
http://www.novell.com/coolsolutions/feature/18875.html

After that use the same method to deploy the actual client certs. If however they are connected to your domain, you can use certificate autoenrollment via active directory.

0
 
LVL 1

Author Comment

by:lesmydad
ID: 20380784
I want my clients to be able to authenticate against a IIS server. I can put a cert on a IIS server...from my CA but how do Internet clients get the client cert required for authentication?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20380839
Actually yes which one are you talking about, do you want to install a cert on the server so the clients can use SSL and make sure they're connecting to the correct server, or do you want to install client certificates to use for authentication? If the latter, follow the instructions I gave on my post above. If the former, after instaling the cert on the server it will be offered to the clients when they connect. They will be prompted to accept and/or/ save the cert, but it will still give them an error when connecting, since the issuing root CA is not trusted.
0
 
LVL 1

Author Comment

by:lesmydad
ID: 20380968
My clients know where they are going...I need to know (on the server)if its really them. Are you saying they dont need client certs only a root ca cert? Doesnt sound right to me! They are domain clients but are not using a VPN to connect. They will use RPC/HTTP for email and HTTPS for access to web information. What I dont understand is if they are not using a VPN they cannot be given a cert by autoenrollment so how do they get there own individual client cert without requesting one themselves. Im sorry for being stupid!!! Please help
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 19

Expert Comment

by:CoccoBill
ID: 20380995
You need to both instal the root CA cert so the certs issued by that CA are automatically trusted by the clients. After that you install the client cert using the same method, but instead of installing it to the Trusted Root CAs store, you install it to the Personal certificate store of the user.

What I mean by them being domain clients is that if they are a part of your internal domain, you can roll out the certificates to them when they connect to your network, as in when they are in the office:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

If the clients *never* connect to your internal domain, you have to manually install the certs either by having you users do it themselves, scripting or creating an installation package with Wise/InstallShield/etc.
0
 
LVL 1

Author Comment

by:lesmydad
ID: 20381081
Can a generic client cert be made and emailed to my clients. That is a cert that can be used by all clients?
If not possible, then how do I script it?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20381104
It can, but I'd recommend against it because of the security implications. That would mean that anyone in the possession of the cert would be allowed access. A far better solution would be to use unique certs, but yes, they can be emailed to the users with instructions on how to install them.
0
 
LVL 1

Author Comment

by:lesmydad
ID: 20381119
CoccoBill youve been great! Almost there now... you mentioned scripting or creating an installation package with Wise/InstallShield/etc I know this is asking alot but how would I do that? Sounds sexy!!! Now youve got my interest!!
0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 500 total points
ID: 20381248
Neither of those methods are trivial, a far easier method is to use GPO autoenrollment. To deploy the certs using logon scripts, you might want to check out this post:

http://www.visualbasicscript.com/m_37106/mpage_1/key_/tm.htm#37120

Wise and installshield are commercial installation packagers, but there are some free options. Going into the details on how to use them to create a certificate installation package is beyond the scope of this thread and my knowledge. :)

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Laptops & PCs compliance & tracking 10 90
Forensic audit of SBS 2008 3 74
Endpoint security products 4 51
internet access from windows servers 4 65
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now