Enterprise Microsoft Certificate Authority

Posted on 2008-06-17
Medium Priority
Last Modified: 2008-07-15
I am in the process of implementing Enterprise Certificate Authority on our network. Though, on our network, we already have another 2 enterprise CAs. We only want laptop OUs on our Active Directory to be able to get certificate from this new CA.

How do we configure the new CA so that only the laptop OUs get certificate from the new Certificate Authority? At the same time, laptops on the laptops OUs won't get any certs from the other two Certificate Authority?
Question by:dongocdung
  • 4
  • 2
LVL 81

Expert Comment

ID: 21807340
You can configure a GPO policy in
computer settings\windows settings\security settings\public key policies\.

Is the New CA you are setting up a delegated one of the existing ones.
somedomainexample.com is the DC CAs.
The new one is


Author Comment

ID: 21809745

Thank you for your info.

Though can you be a little bit more specific of what we have to do. For example, what do we have to do exactly on Group Policy?

By the way, this new CA is a brand new CA, not a delegated one of the existing ones.

LVL 81

Expert Comment

ID: 21810346
Not sure why you would want to have two separate CA's since you would run into problems (certificate validity).
Is the new CA also a DC?
In the GPO you can import the CA's certificate.

Are you planing on having the systems automatically enroll or do you plan on generating and submitting the requests?
The auto-enroll option does not include a place where you can define to which CA to submit the request.
I think the action will be to submit the request to the DC-CA, but unsure whether the existing CA will supersede the newly created one.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.


Author Comment

ID: 21812243
Can we use permission to restrict access?

For example: I can go to Site and Services/Services/Public Key Services/Certificate Authorities and then go to Security. Right click on the new Certificate Authority. Remove authenticated users and then add in laptops users OU.

Can I do that?
LVL 81

Accepted Solution

arnold earned 2000 total points
ID: 21812408
You can and should, however, I am not sure how you would force the laptops to submit the request to a specific host if it is not the DC against which they authenticate.
You might have to configure the existing CA to forward the certificate request for the laptops to the new CA.
If you manually generate the request, you might be able to specify to which CA you would like the request submitted.
LVL 81

Expert Comment

ID: 21812899

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It's not just another paperwork submission. Serious planning and rigour to managing the whole thought processes need to be put in place. The intent is not on drilling into the details, but to share tips in getting the first thing right to kick-start…
Data security in the cloud is very much like a security in an on-premises data center - only without costs for maintaining facilities and computer hardware.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question