How do Internet users obtain certificates from an Internal CA?

I want is to use certs as an authentication system. If the client doesnt have a cert issued by the CA they dont get in. I understan the IIS configuration (i think), but how do they get the certs from the ca without having to request one (ie. without going through the /certsrv process)? Can I create a cert and send it to them?? I dont want to rely on a public ca system like Verisign. CAN IT BE DONE???
LVL 1
lesmydadAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
CoccoBillConnect With a Mentor Commented:
Neither of those methods are trivial, a far easier method is to use GPO autoenrollment. To deploy the certs using logon scripts, you might want to check out this post:

http://www.visualbasicscript.com/m_37106/mpage_1/key_/tm.htm#37120

Wise and installshield are commercial installation packagers, but there are some free options. Going into the details on how to use them to create a certificate installation package is beyond the scope of this thread and my knowledge. :)

0
 
PowerITCommented:
Is this server or client authentication?

J.
0
 
CoccoBillCommented:
I'm assuming the client computers are not a part of your domain? First you need to install the root CA cert in the trusted root certification authorities store on each client computer:
http://technet2.microsoft.com/windowsserver/en/library/758c0043-17db-44b4-aad1-f23318acdd691033.mspx?mfr=true
http://www.novell.com/coolsolutions/feature/18875.html

After that use the same method to deploy the actual client certs. If however they are connected to your domain, you can use certificate autoenrollment via active directory.

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
lesmydadAuthor Commented:
I want my clients to be able to authenticate against a IIS server. I can put a cert on a IIS server...from my CA but how do Internet clients get the client cert required for authentication?
0
 
CoccoBillCommented:
Actually yes which one are you talking about, do you want to install a cert on the server so the clients can use SSL and make sure they're connecting to the correct server, or do you want to install client certificates to use for authentication? If the latter, follow the instructions I gave on my post above. If the former, after instaling the cert on the server it will be offered to the clients when they connect. They will be prompted to accept and/or/ save the cert, but it will still give them an error when connecting, since the issuing root CA is not trusted.
0
 
lesmydadAuthor Commented:
My clients know where they are going...I need to know (on the server)if its really them. Are you saying they dont need client certs only a root ca cert? Doesnt sound right to me! They are domain clients but are not using a VPN to connect. They will use RPC/HTTP for email and HTTPS for access to web information. What I dont understand is if they are not using a VPN they cannot be given a cert by autoenrollment so how do they get there own individual client cert without requesting one themselves. Im sorry for being stupid!!! Please help
0
 
CoccoBillCommented:
You need to both instal the root CA cert so the certs issued by that CA are automatically trusted by the clients. After that you install the client cert using the same method, but instead of installing it to the Trusted Root CAs store, you install it to the Personal certificate store of the user.

What I mean by them being domain clients is that if they are a part of your internal domain, you can roll out the certificates to them when they connect to your network, as in when they are in the office:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

If the clients *never* connect to your internal domain, you have to manually install the certs either by having you users do it themselves, scripting or creating an installation package with Wise/InstallShield/etc.
0
 
lesmydadAuthor Commented:
Can a generic client cert be made and emailed to my clients. That is a cert that can be used by all clients?
If not possible, then how do I script it?
0
 
CoccoBillCommented:
It can, but I'd recommend against it because of the security implications. That would mean that anyone in the possession of the cert would be allowed access. A far better solution would be to use unique certs, but yes, they can be emailed to the users with instructions on how to install them.
0
 
lesmydadAuthor Commented:
CoccoBill youve been great! Almost there now... you mentioned scripting or creating an installation package with Wise/InstallShield/etc I know this is asking alot but how would I do that? Sounds sexy!!! Now youve got my interest!!
0
All Courses

From novice to tech pro — start learning today.