byt3
asked on
Enterprise CA - Certificate AutoEnrollment Policy on a non-domain computer HowTo
I have completed the following steps thus far:
*Setup Active Directory Certificate Services
*Setup Certificate Enrollment Web Service
*Setup Certificate Enrollment Policy Web Service
*Created duplicate template of computer template
*Created a user account with permissions to the new template (and change the template to require the Subject Name to be supplied in the request)
*Issued the new template
*Reset IIS to update template cache in the Certificate Policy Web Service
*Used Add-CertificateEnrollmentP
When I open the certificates mmc and attempt to get a new certificate using the policy, the list is blank. I'm am not sure what I am missing.
Side note: if there is a way to request the certificate from the policy service with powershell I'd be interested to know that too.
*Setup Active Directory Certificate Services
*Setup Certificate Enrollment Web Service
*Setup Certificate Enrollment Policy Web Service
*Created duplicate template of computer template
*Created a user account with permissions to the new template (and change the template to require the Subject Name to be supplied in the request)
*Issued the new template
*Reset IIS to update template cache in the Certificate Policy Web Service
*Used Add-CertificateEnrollmentP
When I open the certificates mmc and attempt to get a new certificate using the policy, the list is blank. I'm am not sure what I am missing.
Side note: if there is a way to request the certificate from the policy service with powershell I'd be interested to know that too.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Like Craig Beck specified, it is not possible the use neither of AD Templates or auto enrolments.
ASKER
I am using the wrong term, I think what I am trying to do is setup auto renewal. I do understand that I need to initiate the request myself. I guess I can't do it using the mmc console. When I look into using the cerutil.exe later today, I'll come back on this thread if I have any questions.
Thanks for the link. I'll need it for cerutil.exe guidance.
Thanks for the link. I'll need it for cerutil.exe guidance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Craig sent me down the right track to eventually finding that I needed to use certreq.exe for a windows 2008 machine I have. I just need to wait for AD replication before I was able to see the template I had created through the policy server I added to the non-domain PC
You should use the CA web service via https://servername/certserv to request for certificates on non-domain computers or use the certreq.exe utility. The only powershell commands I know of, come with Exchange Servers e.g.
New-ExchangeCertificate
Get-ExchangeCertificate
Import-ExchangeCertificate
https://social.technet.microsoft.com/Forums/windowsserver/en-US/098f858a-3e89-48d2-828e-274487033f6b/how-to-request-certificate-from-a-nondomain-computer?forum=winserversecurity