• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 482
  • Last Modified:

Windows 2008 applying certificates to servers, workstations and users. Online Responder and OCSP vs. GPO.

I have setup a Windows 2008 Certificate Services server in stand-alone workgroup and created my ROOTCA.
Then set up my issuing Certificate Services Windows 2008 server in my domain.
I have used certutil to pubish my RootCA to Active Directory and I have entered my RootCA in Trusted Root Certificates in Group Policy.
Everthing is in place and am ready to issue the certificates to server, workstations and users.
I would like to look at several ways to deploy my certificates.
Setup the Online Responder and use OCSP certificate templates? Seems like a bit more work than I was planning on, is there a client piece?
Manually, what is the fastest way to assign a certificate to a server, workstation or user? Just click on it and install it?
Just push it out with a Group Policy? Seems the fastest easiest way.

What do you think?
0
lanman777
Asked:
lanman777
  • 2
1 Solution
 
ShmoidCommented:
I wouldn’t bother with Online Responders. OCSP is not yet very widely used. Also remember, OCSP is not for deploying certificates but checking the validity of a certificate. Someday it may replace Certificate Revocation Lists (CRL) but not anytime soon.

As you mention, the fastest way to deploy certificates is auto-enrollment/Group Policy. Just be sure your templates have the appropriate permissions and your Default Domain policy for both computers and users is setup.
0
 
lanman777Author Commented:
Ok. I am new to this, so I will not installing the online responder.
I have created a GPO for my certificate and imported my cert into my GPO. I have then assigned my GPO to a TEST OU where I have a test server. will the server apply the cert? Or do I need to setup a CRL and a template?
If I need to create them can you recommend the steps or a document?
Nothing has shown up on my test server after I load MMC and Certificates\Computers. Still no cert in the personal folder.
What do I need to do?

I have applied my RootCA to my Trusted Root Certificates GPO. I opened this gpo and it shows it is there and trusted. Looks like my 3 DC's have it now, on my issuing Certificate Services server under "Issued Certificates" my DC's are now listed in my Issued Certificates.

0
 
ShmoidCommented:
Sounds like you are on the right track.   If you have auto-enrollment enabled in your policy and the template has permissions for read, enroll and auto-enrollment for the test server (or domain computers group) then it will get the cert automatically.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now