Solved

Windows 2008 applying certificates to servers, workstations and users. Online Responder and OCSP vs. GPO.

Posted on 2011-09-13
3
465 Views
Last Modified: 2012-05-12
I have setup a Windows 2008 Certificate Services server in stand-alone workgroup and created my ROOTCA.
Then set up my issuing Certificate Services Windows 2008 server in my domain.
I have used certutil to pubish my RootCA to Active Directory and I have entered my RootCA in Trusted Root Certificates in Group Policy.
Everthing is in place and am ready to issue the certificates to server, workstations and users.
I would like to look at several ways to deploy my certificates.
Setup the Online Responder and use OCSP certificate templates? Seems like a bit more work than I was planning on, is there a client piece?
Manually, what is the fastest way to assign a certificate to a server, workstation or user? Just click on it and install it?
Just push it out with a Group Policy? Seems the fastest easiest way.

What do you think?
0
Comment
Question by:lanman777
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36534059
I wouldn’t bother with Online Responders. OCSP is not yet very widely used. Also remember, OCSP is not for deploying certificates but checking the validity of a certificate. Someday it may replace Certificate Revocation Lists (CRL) but not anytime soon.

As you mention, the fastest way to deploy certificates is auto-enrollment/Group Policy. Just be sure your templates have the appropriate permissions and your Default Domain policy for both computers and users is setup.
0
 

Author Comment

by:lanman777
ID: 36537702
Ok. I am new to this, so I will not installing the online responder.
I have created a GPO for my certificate and imported my cert into my GPO. I have then assigned my GPO to a TEST OU where I have a test server. will the server apply the cert? Or do I need to setup a CRL and a template?
If I need to create them can you recommend the steps or a document?
Nothing has shown up on my test server after I load MMC and Certificates\Computers. Still no cert in the personal folder.
What do I need to do?

I have applied my RootCA to my Trusted Root Certificates GPO. I opened this gpo and it shows it is there and trusted. Looks like my 3 DC's have it now, on my issuing Certificate Services server under "Issued Certificates" my DC's are now listed in my Issued Certificates.

0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36544069
Sounds like you are on the right track.   If you have auto-enrollment enabled in your policy and the template has permissions for read, enroll and auto-enrollment for the test server (or domain computers group) then it will get the cert automatically.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question