Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2008 applying certificates to servers, workstations and users. Online Responder and OCSP vs. GPO.

Posted on 2011-09-13
3
Medium Priority
?
472 Views
Last Modified: 2012-05-12
I have setup a Windows 2008 Certificate Services server in stand-alone workgroup and created my ROOTCA.
Then set up my issuing Certificate Services Windows 2008 server in my domain.
I have used certutil to pubish my RootCA to Active Directory and I have entered my RootCA in Trusted Root Certificates in Group Policy.
Everthing is in place and am ready to issue the certificates to server, workstations and users.
I would like to look at several ways to deploy my certificates.
Setup the Online Responder and use OCSP certificate templates? Seems like a bit more work than I was planning on, is there a client piece?
Manually, what is the fastest way to assign a certificate to a server, workstation or user? Just click on it and install it?
Just push it out with a Group Policy? Seems the fastest easiest way.

What do you think?
0
Comment
Question by:lanman777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
Shmoid earned 2000 total points
ID: 36534059
I wouldn’t bother with Online Responders. OCSP is not yet very widely used. Also remember, OCSP is not for deploying certificates but checking the validity of a certificate. Someday it may replace Certificate Revocation Lists (CRL) but not anytime soon.

As you mention, the fastest way to deploy certificates is auto-enrollment/Group Policy. Just be sure your templates have the appropriate permissions and your Default Domain policy for both computers and users is setup.
0
 

Author Comment

by:lanman777
ID: 36537702
Ok. I am new to this, so I will not installing the online responder.
I have created a GPO for my certificate and imported my cert into my GPO. I have then assigned my GPO to a TEST OU where I have a test server. will the server apply the cert? Or do I need to setup a CRL and a template?
If I need to create them can you recommend the steps or a document?
Nothing has shown up on my test server after I load MMC and Certificates\Computers. Still no cert in the personal folder.
What do I need to do?

I have applied my RootCA to my Trusted Root Certificates GPO. I opened this gpo and it shows it is there and trusted. Looks like my 3 DC's have it now, on my issuing Certificate Services server under "Issued Certificates" my DC's are now listed in my Issued Certificates.

0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36544069
Sounds like you are on the right track.   If you have auto-enrollment enabled in your policy and the template has permissions for read, enroll and auto-enrollment for the test server (or domain computers group) then it will get the cert automatically.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question