Solved

Windows 2008 applying certificates to servers, workstations and users. Online Responder and OCSP vs. GPO.

Posted on 2011-09-13
3
466 Views
Last Modified: 2012-05-12
I have setup a Windows 2008 Certificate Services server in stand-alone workgroup and created my ROOTCA.
Then set up my issuing Certificate Services Windows 2008 server in my domain.
I have used certutil to pubish my RootCA to Active Directory and I have entered my RootCA in Trusted Root Certificates in Group Policy.
Everthing is in place and am ready to issue the certificates to server, workstations and users.
I would like to look at several ways to deploy my certificates.
Setup the Online Responder and use OCSP certificate templates? Seems like a bit more work than I was planning on, is there a client piece?
Manually, what is the fastest way to assign a certificate to a server, workstation or user? Just click on it and install it?
Just push it out with a Group Policy? Seems the fastest easiest way.

What do you think?
0
Comment
Question by:lanman777
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36534059
I wouldn’t bother with Online Responders. OCSP is not yet very widely used. Also remember, OCSP is not for deploying certificates but checking the validity of a certificate. Someday it may replace Certificate Revocation Lists (CRL) but not anytime soon.

As you mention, the fastest way to deploy certificates is auto-enrollment/Group Policy. Just be sure your templates have the appropriate permissions and your Default Domain policy for both computers and users is setup.
0
 

Author Comment

by:lanman777
ID: 36537702
Ok. I am new to this, so I will not installing the online responder.
I have created a GPO for my certificate and imported my cert into my GPO. I have then assigned my GPO to a TEST OU where I have a test server. will the server apply the cert? Or do I need to setup a CRL and a template?
If I need to create them can you recommend the steps or a document?
Nothing has shown up on my test server after I load MMC and Certificates\Computers. Still no cert in the personal folder.
What do I need to do?

I have applied my RootCA to my Trusted Root Certificates GPO. I opened this gpo and it shows it is there and trusted. Looks like my 3 DC's have it now, on my issuing Certificate Services server under "Issued Certificates" my DC's are now listed in my Issued Certificates.

0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36544069
Sounds like you are on the right track.   If you have auto-enrollment enabled in your policy and the template has permissions for read, enroll and auto-enrollment for the test server (or domain computers group) then it will get the cert automatically.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question