Handling User Certificates for Other Users

We have an internal certificate authority. We are using Windows Server 2003 Standard SP2. We have a need to issue user certificates for one of our mobile devices. I tested this with my account and It works fine. The problem I am running into is handling the certicates for the other users. With the deployment application when I go to select a user certificate for the mobile device I can only select what is in my personal store. I have tried running this under the Admin account for the CA (domain admin) with little luck What is the best way to handle the user certs. I need a way to get the appropriate user cert from the CA to the mobile device configuration app.
Who is Participating?
arnoldConnect With a Mentor Commented:
If memory serves me right, you have to use an account that is trusted for obtaining a certificate on behalf of another user.
are you using the http://CAservername/Certsrv and then using the advanced options.

barrykeelAuthor Commented:
I have a user that can request certs for another user. However that user has to have an enrollment agent certificate issued, correct? And deploying the templates requires Enterprise server, correct?
Also, when clicking advanced at http://CAservername/Certsrv the only request I have for another user is for a smart card. I think this may be fairly easy once I get this part solved. The real hard part I think is accessing the cert from the device configuration utility. It is the iPhone configuration Utility. When I go to add a user cert from the utility it always looks in my personal certificate store. I believe the user cert for this needs to be the PK7 with the private key. Agian I got the iPhone utility to create a profile for myself and deploy that to the phone and  that works fine. This problem is trying to create the profile for my other users. I wanting to authenticate to the Exchange Active Sync directory via a certificate so that the user does not have to change their password on the phone every 60 days. My phone is authenticating fine with this scenario. As far as Enterprise I know I am ging to have to upgrade to extend the certificate expiration date.
arnoldConnect With a Mentor Commented:
I think you can generate a CSR at the.

You can generate a CSR on behalf of the other user

When you generate the request for another user, you can then export the other users certificate and private key which is then imported by the other user on their device.
When using the advanced certificate request, there is an option to export and save the data to a file.

You would have to use the command line tools to request/create the certificate for the other user:

certreq -New /?
Create a file that will be used as the parameter setting with certreq -New thefile_with_contents_below.inf outputfile.txt:

    Subject = "CN=..,OU=...,DC=..."
    PrivateKeyArchive = TRUE
    KeySpec = 1
    KeyLength = 1024
    RenewalCert = CertId
    Exportable = TRUE
    UserProtected = TRUE
    KeyContainer = "..."
    MachineKeySet = TRUE
    Silent = TRUE
    ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
    ProviderType = 1
    UseExistingKeySet = TRUE
    RequesterName = DOMAIN\User
    RequestType = PKCS10 | PKCS10- | PKCS7 | CMC
    KeyUsage = 0x80
    EncipherOnly = TRUE

Open in new window

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

barrykeelAuthor Commented:
So I can just request on behalf from the command line and not us the website? Would I need to put our data in the text file such as OU=..., etc?e

You stated "When you generate the request for another user, you can then export the other users certificate and private key which is then imported by the other user on their device."

I want to be sure we are talking about the same thing here. With the iPhone utility, you import the certs and save out a mobile config file. The config file would then reside on an web portal. The user logs in with the browser on iPhone to the portal. He would then see his mobile config link. He clicks the link and the config file downloads to the phone and installs. His pnone is now configured for our environment. We really do not want the user having to import the certs to their device. We want to deploy them in the above scenario.
barrykeelAuthor Commented:
Sorry meant to add to the last post. In the scenario we want to use to deploy the config files, when trying to import the user cert into the iphone utility, this is where it looks to my personal certificate store and I cannot see other user certs.
When you have the output file from running the certreq, you can import it as it should include the privatekey and signed certificate.
You would need to make sure that you have the correct version of output i.e. X.509 or pcks#12

My advice would be do one thing at a time.  First make sure you can use certreq with the correct parameters to generate the privatekey/certififate for another user.
one you have that completed, you can work on the config which presumably includes the reference to the certificate file.
i.e. config to be loaded by iphone:
certificate_load-from_file or is part of the config
--Begin Certificate here ---
Base64 encoded certificate
--End Certificate --
--Begin RSA key --
--End Key --

Not sure if you set a password on the key, whether the user will be prompted for the password prior to the key/certificate are imported.
barrykeelAuthor Commented:
They will be prompted on the phone for the password if you set one. It did when setting up my phone. I will try the certreq first and complete that. Once that is done I wil try to post back on the import into the config utility.
barrykeelAuthor Commented:
I tried a different method and have made some progress. The user file I need is the pfx with the private key. I had a test user get the cert from the website http://CAservername/Certsrv and then export it with the private key and give me the pfx file. After a few tries I was able to get the certifacte installed correctly on my computer where the iPhone configuration utility could see and import the certificates as needed. So now I am at the issue of requesting the cert for the user which was suggeted to use certreq. And the issue of getting the pfx file with the private key from the CA. After some other research I seen a lot of people suggesting to export the cert with certutil. What would you recommend for the easieat request/export as pfx? Do you what the command line would be?
Using the certreq will do two things at the same time, The outfile will include the data,
PFX (Pcks#12) might need to be converted to DER/PEm format.
If you are done with the format of the file to request certiicates, the certutil could be an avenue to explore.
barrykeelAuthor Commented:
I read a good bit of Brian Komar's PKI book and got a few insights. You are correct on using an Enrollment Agent for enrolling on behalf of a user. However, from my reading it appears that using the Key Archival you can obtain a PKCS#12 using a recovery agent account. This does require Enterprise for key archival. Also, I will need Enterprise to extend the life of a cert and deploy a cutom template.

My CA's root cert expires in 3 months so I am planning to upgrade the CA to Enterprise before then. I have also came up with a plan dealing with user certs. Before we update to Enterprise, we are going to set up a test Enterprise Root CA and an issuing subordinate in a test domain. We will also set up an Enrollmentt Agent account and a Recovery Agent account to see how this will work for us. We think our plan will be to set up the Root CA, the suborinate CA and then take the root CA offline and use the agents for key handling. We are a small to mid size organization so we are still deciding on 2 CAs or 1 Enterprise CA.

For the meantime, we will take a diiferent approach to the user certs with the CA we have now. We might even use this same approach after we upgrade. Since we do not need a user cert at the local workstation we are not going to auto deploy or have the end user request a cert. This will also minimize the risk of losing the private key by the user if their workstaion crashes. If a user needs a cert we will notify the user that they are going to be required to have a password change and what we are doing to get their cert. We will change their password from AD, log on as the user from a secure workstation that we will use for cert requests, request the cert for them, export out the PKCS#12 file we need and store that file with the private key securely. We will then require they change password at next login. This way we can secure their private key and not have to deploy it to their workstation. We will now have what we need for the mobile devices and will little interaction from the end user. This might not be the correct approach but we feel this will be best for our needs right now.

Any thought on this approach and the 1 CA vs 2?
1ca with a good/regular backup. no point in having two CAs turned off.
barrykeelAuthor Commented:
Thanks. Do you see any issue with handling the certificates like I described?
The "issues" deals with the two steps you seem to be considering.
If you login as the user and generate the request, you woud need to use the certmgr.mmc and export the users key/cert. there is no need for the recovery agent for this specific process.
The issue remains that to get a machine certificate for the user's system i.e. for VPN, you would still need an enrollment agent.
barrykeelAuthor Commented:
Damn, don't confuse me just when I thought I had a handle on it.  I think I see concerning the machine, you mean for example for their laptop to connect to VPN? You are saying they need a machine and user certificate? For machines you could auto enroll, right? However, for mobile device such as our phones, the user can authenticate to the Exchange Active Sync directory as I described earlier, as I have tested that with several users.
I think a VPN connection uses a machine account certificate.  Non ad systems might not be a concern for you in terms of vpn.
The user certificate is likely used on an SSL VPN connection or when the user accesses an SSL website where the client certificate is required as the means of authentication as you point out with the exchange sync.
barrykeelAuthor Commented:
We use SSL VPN for VPN connectivity. So for us I do not think a machine cert will be needed for us. I beleieve after this thread with you giving dome pointers and the book I just read I think I am going to be abl to do what we need. Just want to make sure I do it as close to what would be the right way or would be considered best practice.
Good luck, best practices are often for a homogeneous environment, with the variations of technology as well as the rapid pace at which new items come to market and at times adopted, one has to come as close to best practices as one can.  In this environment best practices is like the goal that is so elusive and is a moving target as new things are added and time passes on.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.