When you are on a server or a computer inside your company, requests for certificates are possible by communicating with a domain controller (via the LDAP protocol) and with the desired certificate authority via RPC / DCOM.
However, if your computer is not linked to your Active Directory domain (and is therefore in a workgroup) and/or is currently outside your company, it will not have the possibility of requesting a certificate using the usual method.
To solve these problems, you have the option of installing CEP and CES servers to allow these clients to request a certificate from your company's CA using only the HTTPS protocol.
This simplifies things when the client is outside the company and therefore can't use the usual protocols : LDAP and RCP / DCOM.
Since the CEP / CES servers will only use the HTTPS protocol, you will need an SSL certificate to secure these.
To do this, on your certification authority, right-click "Manage" on "Certificate Templates".
Next, duplicate the "Web Server" certificate template.
Provide "Web Server v2" as template name (for example).
In the "Request Handling" tab, check the "Allow private key to be exported" box.
In the "Security" tab, click on : Add.
In the selection window that appears, click on : Object Types.
Check the "Computers" box.
Enter the name of your CEP/CES server and click OK.
Grant at least the "Enroll" right to this server so that it can request its certificate later.
Click OK.
Now that the new certificate template is created, don't forget to add it to the list of certificate templates to be issued.
Select the certificate template you just created (in our case : Web Server v2) and click OK.
The new certificate template to be issued appears in the list.
For the example, we will issue a certificate to a user from a client computer running Windows 10 that is not part of our Active Directory domain.
However, the certificate template used here is an example and you could use any other certificate template.
On your CA, right-click "Manage" on "Certificate Templates" again.
Duplicate the user certificate template.
Indicate "User v2" as template name (for example).
For example, grant the "Enroll" right to authenticated users.
Warning : if the e-mail address of your users is not entered in their user accounts, you will have to uncheck the boxes concerning the e-mail service.
To do this, in the "Subject Name" tab, uncheck the boxes :
Click OK.
The newly created certificate template appears.
Again, right-click "New -> Certificate Template to Issue" on "Certificate Templates".
Select the newly created certificate template and click OK.
On your future CEP/CES server, install Active Directory Certificate Services.
Select only these role services :
Since CEP/CES allows clients to obtain certificates (even from outside your company) using only the HTTPS protocol, the IIS web server will obviously be automatically installed on this server.
Click Install.
Wait while Certificate Enrollment Web Services installs.
After the installation is complete, leave the Add Roles and Features Wizard open.
Windows Server 12/15/2023
Windows Server 12/2/2023
Windows Server 10/20/2023
Windows Server 9/15/2023
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment