Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
Enterprise CA - Certificate AutoEnrollment Policy on a non-domain computer HowTo
I have completed the following steps thus far:
*Setup Active Directory Certificate Services
*Setup Certificate Enrollment Web Service
*Setup Certificate Enrollment Policy Web Service
*Created duplicate template of computer template
*Created a user account with permissions to the new template (and change the template to require the Subject Name to be supplied in the request)
*Issued the new template
*Reset IIS to update template cache in the Certificate Policy Web Service
*Used Add-CertificateEnrollmentP
When I open the certificates mmc and attempt to get a new certificate using the policy, the list is blank. I'm am not sure what I am missing.
Side note: if there is a way to request the certificate from the policy service with powershell I'd be interested to know that too.
*Setup Active Directory Certificate Services
*Setup Certificate Enrollment Web Service
*Setup Certificate Enrollment Policy Web Service
*Created duplicate template of computer template
*Created a user account with permissions to the new template (and change the template to require the Subject Name to be supplied in the request)
*Issued the new template
*Reset IIS to update template cache in the Certificate Policy Web Service
*Used Add-CertificateEnrollmentP
When I open the certificates mmc and attempt to get a new certificate using the policy, the list is blank. I'm am not sure what I am missing.
Side note: if there is a way to request the certificate from the policy service with powershell I'd be interested to know that too.
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Auto enrolment doesn't work for non-domain computers but you can get non-domain computers to request a certificate from a CA by initiating the request manually.
This technet article shows you how...
https://blogs.technet.microsoft.com/askds/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates/
This technet article shows you how...
https://blogs.technet.microsoft.com/askds/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates/
I am using the wrong term, I think what I am trying to do is setup auto renewal. I do understand that I need to initiate the request myself. I guess I can't do it using the mmc console. When I look into using the cerutil.exe later today, I'll come back on this thread if I have any questions.
Thanks for the link. I'll need it for cerutil.exe guidance.
Thanks for the link. I'll need it for cerutil.exe guidance.
It seems I needed to wait longer to be able to use the MMC to request a certificate. The replication must not have finished to all DCs yet for the template. Oops!
I did find that during the cert request it would fail with permission denied, but if I clicked 'Continue' it would then prompt me for credentials. I had entered in credentials when adding the policy server and set it to remember them, but they weren't used when requesting the certificate.
Something to note is that I'm pretty sure this method of requesting certificates on non-domain computers only works on 2008R2/Windows 7 and up (that's when Web CES and CEP roles were introduced). If using an earlier versions of windows, you will be required to use certreq.exe .
First create an .inf file with details like extensions, request attributes...
https://blogs.technet.micr
https://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx#BKMK_Newhttps://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx#BKMK_New
*on computer needing cert: certreq.exe -New -machine Policy.inf cert.req
*copy cert.req to CA
*on CA: certreq.exe -Submit cert.req cert.cer chain.pfx response.rsp
*copy cert.req, chain.pfx and response.rsp to computer needing cert
*on computer needing cert: certreq.exe -Accept -machine chain.pfx
*on computer needing cert: certreq.exe -Accept -machine response.rsp
*on computer needing cert: certreq.exe -Accept -machine cert.cer
*done
I did find that during the cert request it would fail with permission denied, but if I clicked 'Continue' it would then prompt me for credentials. I had entered in credentials when adding the policy server and set it to remember them, but they weren't used when requesting the certificate.
Something to note is that I'm pretty sure this method of requesting certificates on non-domain computers only works on 2008R2/Windows 7 and up (that's when Web CES and CEP roles were introduced). If using an earlier versions of windows, you will be required to use certreq.exe .
First create an .inf file with details like extensions, request attributes...
https://blogs.technet.micr
https://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx#BKMK_Newhttps://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx#BKMK_New
*on computer needing cert: certreq.exe -New -machine Policy.inf cert.req
*copy cert.req to CA
*on CA: certreq.exe -Submit cert.req cert.cer chain.pfx response.rsp
*copy cert.req, chain.pfx and response.rsp to computer needing cert
*on computer needing cert: certreq.exe -Accept -machine chain.pfx
*on computer needing cert: certreq.exe -Accept -machine response.rsp
*on computer needing cert: certreq.exe -Accept -machine cert.cer
*done
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Craig sent me down the right track to eventually finding that I needed to use certreq.exe for a windows 2008 machine I have. I just need to wait for AD replication before I was able to see the template I had created through the policy server I added to the non-domain PC
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory
From novice to tech pro — start learning today.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
You should use the CA web service via https://servername/certserv to request for certificates on non-domain computers or use the certreq.exe utility. The only powershell commands I know of, come with Exchange Servers e.g.
New-ExchangeCertificate
Get-ExchangeCertificate
Import-ExchangeCertificate
https://social.technet.microsoft.com/Forums/windowsserver/en-US/098f858a-3e89-48d2-828e-274487033f6b/how-to-request-certificate-from-a-nondomain-computer?forum=winserversecurity