Computer and Domain Controller Certificates
Posted on 2011-04-27
I have come into an environment where certificate services has been installed and an Enterprise Root CA has been created. I've got several years experience with AD DS, but have never had to work with certificates until now. We recently began having problems with Office Communications Server certificate expired that was issued by the CA. I've installed a lab environment for learning and to troubleshoot the issue. The lab consists of 5 machines: domain controller, certificate services, Office Communications server, and 2 workstations. I have no GPOs configured execept the default settings - so nothing to do with certificate enrollment or trusted root CAs. I have got Communications server installed and requested a certificate from my CA and imported it into the server. Communicator generated a request in the form of .txt file, I took it into my CA server and submitted request and it gave me a .cer file. Took the .cer back to Communicator server and imported it and everything is working fine. Both workstations can connect an IM through the server.
What I would like to understand now is in our production environment, someone set up group policies for auto requesting the certificate. Here are the settings in the production domain dealing with certificates:
Computer Config\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings\Automatic Certificate Request
- contains 2 objects: Computer and Domain Controller
..\Trusted Root Certificate Authorities
Allow users to select new root CAs - Enabled
Client comptuers trust the following stores - (default values)
To Perform auth. of users and comp. CAs must meet - Registered in Active Directory only
-contains a single certificate that appears to be the root CA itself. It's name is domain-computer-CA and the issued by field shows the same value (example: mydomain-CERTS1-CA) with intended purposes of <All>
Those are the only GPO settings in the domain for Public Key Policies. Can someone help me understand what these settings do? And why did I not need them in my lab environment? I intentinoally left them out in an attempt to discover what they do and was expecting to have to especially add the policy setting that adds the CA certificate to the trusted root settings on the servers/workstations. The application works fine without them though... not sure how Office Communications Server know it can trust the generated certificate without GPO adding the CA to the machine trusted root CAs. Also, in production, due to the auto request GPO setting every computer and server has a certificate issued to it if I look on the CA management console or I can look at individual machines in Internet Settings > Content > Certificates. I wonder if the machines are actually using these to authenticate on the domain? It makes sense that the CA is issueing them because of the GPO, but how would I find out if they're really being used?