?
Solved

How do Internet users obtain certificates from an Internal CA?

Posted on 2007-11-30
10
Medium Priority
?
271 Views
Last Modified: 2013-12-04
I want is to use certs as an authentication system. If the client doesnt have a cert issued by the CA they dont get in. I understan the IIS configuration (i think), but how do they get the certs from the ca without having to request one (ie. without going through the /certsrv process)? Can I create a cert and send it to them?? I dont want to rely on a public ca system like Verisign. CAN IT BE DONE???
0
Comment
Question by:lesmydad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 18

Expert Comment

by:PowerIT
ID: 20380721
Is this server or client authentication?

J.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20380782
I'm assuming the client computers are not a part of your domain? First you need to install the root CA cert in the trusted root certification authorities store on each client computer:
http://technet2.microsoft.com/windowsserver/en/library/758c0043-17db-44b4-aad1-f23318acdd691033.mspx?mfr=true
http://www.novell.com/coolsolutions/feature/18875.html

After that use the same method to deploy the actual client certs. If however they are connected to your domain, you can use certificate autoenrollment via active directory.

0
 
LVL 1

Author Comment

by:lesmydad
ID: 20380784
I want my clients to be able to authenticate against a IIS server. I can put a cert on a IIS server...from my CA but how do Internet clients get the client cert required for authentication?
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 19

Expert Comment

by:CoccoBill
ID: 20380839
Actually yes which one are you talking about, do you want to install a cert on the server so the clients can use SSL and make sure they're connecting to the correct server, or do you want to install client certificates to use for authentication? If the latter, follow the instructions I gave on my post above. If the former, after instaling the cert on the server it will be offered to the clients when they connect. They will be prompted to accept and/or/ save the cert, but it will still give them an error when connecting, since the issuing root CA is not trusted.
0
 
LVL 1

Author Comment

by:lesmydad
ID: 20380968
My clients know where they are going...I need to know (on the server)if its really them. Are you saying they dont need client certs only a root ca cert? Doesnt sound right to me! They are domain clients but are not using a VPN to connect. They will use RPC/HTTP for email and HTTPS for access to web information. What I dont understand is if they are not using a VPN they cannot be given a cert by autoenrollment so how do they get there own individual client cert without requesting one themselves. Im sorry for being stupid!!! Please help
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20380995
You need to both instal the root CA cert so the certs issued by that CA are automatically trusted by the clients. After that you install the client cert using the same method, but instead of installing it to the Trusted Root CAs store, you install it to the Personal certificate store of the user.

What I mean by them being domain clients is that if they are a part of your internal domain, you can roll out the certificates to them when they connect to your network, as in when they are in the office:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

If the clients *never* connect to your internal domain, you have to manually install the certs either by having you users do it themselves, scripting or creating an installation package with Wise/InstallShield/etc.
0
 
LVL 1

Author Comment

by:lesmydad
ID: 20381081
Can a generic client cert be made and emailed to my clients. That is a cert that can be used by all clients?
If not possible, then how do I script it?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20381104
It can, but I'd recommend against it because of the security implications. That would mean that anyone in the possession of the cert would be allowed access. A far better solution would be to use unique certs, but yes, they can be emailed to the users with instructions on how to install them.
0
 
LVL 1

Author Comment

by:lesmydad
ID: 20381119
CoccoBill youve been great! Almost there now... you mentioned scripting or creating an installation package with Wise/InstallShield/etc I know this is asking alot but how would I do that? Sounds sexy!!! Now youve got my interest!!
0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 1500 total points
ID: 20381248
Neither of those methods are trivial, a far easier method is to use GPO autoenrollment. To deploy the certs using logon scripts, you might want to check out this post:

http://www.visualbasicscript.com/m_37106/mpage_1/key_/tm.htm#37120

Wise and installshield are commercial installation packagers, but there are some free options. Going into the details on how to use them to create a certificate installation package is beyond the scope of this thread and my knowledge. :)

0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month8 days, 19 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question