Solved

How do Internet users obtain certificates from an Internal CA?

Posted on 2007-11-30
10
265 Views
Last Modified: 2013-12-04
I want is to use certs as an authentication system. If the client doesnt have a cert issued by the CA they dont get in. I understan the IIS configuration (i think), but how do they get the certs from the ca without having to request one (ie. without going through the /certsrv process)? Can I create a cert and send it to them?? I dont want to rely on a public ca system like Verisign. CAN IT BE DONE???
0
Comment
Question by:lesmydad
  • 5
  • 4
10 Comments
 
LVL 18

Expert Comment

by:PowerIT
ID: 20380721
Is this server or client authentication?

J.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20380782
I'm assuming the client computers are not a part of your domain? First you need to install the root CA cert in the trusted root certification authorities store on each client computer:
http://technet2.microsoft.com/windowsserver/en/library/758c0043-17db-44b4-aad1-f23318acdd691033.mspx?mfr=true
http://www.novell.com/coolsolutions/feature/18875.html

After that use the same method to deploy the actual client certs. If however they are connected to your domain, you can use certificate autoenrollment via active directory.

0
 
LVL 1

Author Comment

by:lesmydad
ID: 20380784
I want my clients to be able to authenticate against a IIS server. I can put a cert on a IIS server...from my CA but how do Internet clients get the client cert required for authentication?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20380839
Actually yes which one are you talking about, do you want to install a cert on the server so the clients can use SSL and make sure they're connecting to the correct server, or do you want to install client certificates to use for authentication? If the latter, follow the instructions I gave on my post above. If the former, after instaling the cert on the server it will be offered to the clients when they connect. They will be prompted to accept and/or/ save the cert, but it will still give them an error when connecting, since the issuing root CA is not trusted.
0
 
LVL 1

Author Comment

by:lesmydad
ID: 20380968
My clients know where they are going...I need to know (on the server)if its really them. Are you saying they dont need client certs only a root ca cert? Doesnt sound right to me! They are domain clients but are not using a VPN to connect. They will use RPC/HTTP for email and HTTPS for access to web information. What I dont understand is if they are not using a VPN they cannot be given a cert by autoenrollment so how do they get there own individual client cert without requesting one themselves. Im sorry for being stupid!!! Please help
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 19

Expert Comment

by:CoccoBill
ID: 20380995
You need to both instal the root CA cert so the certs issued by that CA are automatically trusted by the clients. After that you install the client cert using the same method, but instead of installing it to the Trusted Root CAs store, you install it to the Personal certificate store of the user.

What I mean by them being domain clients is that if they are a part of your internal domain, you can roll out the certificates to them when they connect to your network, as in when they are in the office:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

If the clients *never* connect to your internal domain, you have to manually install the certs either by having you users do it themselves, scripting or creating an installation package with Wise/InstallShield/etc.
0
 
LVL 1

Author Comment

by:lesmydad
ID: 20381081
Can a generic client cert be made and emailed to my clients. That is a cert that can be used by all clients?
If not possible, then how do I script it?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20381104
It can, but I'd recommend against it because of the security implications. That would mean that anyone in the possession of the cert would be allowed access. A far better solution would be to use unique certs, but yes, they can be emailed to the users with instructions on how to install them.
0
 
LVL 1

Author Comment

by:lesmydad
ID: 20381119
CoccoBill youve been great! Almost there now... you mentioned scripting or creating an installation package with Wise/InstallShield/etc I know this is asking alot but how would I do that? Sounds sexy!!! Now youve got my interest!!
0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 500 total points
ID: 20381248
Neither of those methods are trivial, a far easier method is to use GPO autoenrollment. To deploy the certs using logon scripts, you might want to check out this post:

http://www.visualbasicscript.com/m_37106/mpage_1/key_/tm.htm#37120

Wise and installshield are commercial installation packagers, but there are some free options. Going into the details on how to use them to create a certificate installation package is beyond the scope of this thread and my knowledge. :)

0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Software Updates with SCCM 2012 2 63
Reset local admin win7 pro 6 72
Nessus scan 5 200
Was laptop hacked? 11 84
Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now