Windows 2008 applying certificates to servers, workstations and users. Online Responder and OCSP vs. GPO.

I have setup a Windows 2008 Certificate Services server in stand-alone workgroup and created my ROOTCA.
Then set up my issuing Certificate Services Windows 2008 server in my domain.
I have used certutil to pubish my RootCA to Active Directory and I have entered my RootCA in Trusted Root Certificates in Group Policy.
Everthing is in place and am ready to issue the certificates to server, workstations and users.
I would like to look at several ways to deploy my certificates.
Setup the Online Responder and use OCSP certificate templates? Seems like a bit more work than I was planning on, is there a client piece?
Manually, what is the fastest way to assign a certificate to a server, workstation or user? Just click on it and install it?
Just push it out with a Group Policy? Seems the fastest easiest way.

What do you think?
lanman777Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ShmoidConnect With a Mentor Commented:
I wouldn’t bother with Online Responders. OCSP is not yet very widely used. Also remember, OCSP is not for deploying certificates but checking the validity of a certificate. Someday it may replace Certificate Revocation Lists (CRL) but not anytime soon.

As you mention, the fastest way to deploy certificates is auto-enrollment/Group Policy. Just be sure your templates have the appropriate permissions and your Default Domain policy for both computers and users is setup.
0
 
lanman777Author Commented:
Ok. I am new to this, so I will not installing the online responder.
I have created a GPO for my certificate and imported my cert into my GPO. I have then assigned my GPO to a TEST OU where I have a test server. will the server apply the cert? Or do I need to setup a CRL and a template?
If I need to create them can you recommend the steps or a document?
Nothing has shown up on my test server after I load MMC and Certificates\Computers. Still no cert in the personal folder.
What do I need to do?

I have applied my RootCA to my Trusted Root Certificates GPO. I opened this gpo and it shows it is there and trusted. Looks like my 3 DC's have it now, on my issuing Certificate Services server under "Issued Certificates" my DC's are now listed in my Issued Certificates.

0
 
ShmoidCommented:
Sounds like you are on the right track.   If you have auto-enrollment enabled in your policy and the template has permissions for read, enroll and auto-enrollment for the test server (or domain computers group) then it will get the cert automatically.
0
All Courses

From novice to tech pro — start learning today.