Miha
Wed Aug 25 07:06:23 CDT 2004
Paul,
Thanks for your input. The only option is as you said request using web
interface for e.g. IPSec (offline request).
Mike
"Paul Adare - MVP - Microsoft Virtual PC" <padare@newsguy.com> wrote in
message news:MPG.1b962cd376a0dcec989a24@msnews.microsoft.com...
> In article <e8PeYIjiEHA.3632@TK2MSFTNGP09.phx.gbl>, in the
> microsoft.public.security news group, Miha Pihler <mihap-
> news@atlantis.si> says...
>
> There are a number of technical errors in this response. Comments
> inline...
> >
> > You can always request new certificate (additional certificate) based on
> > same template from your PC. Even if you request additional certificate
from
> > your PC new certificate will not be same as the one on your PC (private
and
> > public keys will be different and you will be able to tell certificates
> > apart be e.g. serial number). Once you have them on your PC you can
export
> > them to .pfx file and send it to end user. Now you can even delete them
from
> > your PC.
>
> If you go back and reread the original post, you should see why this
> advice is wrong, and won't work. The Computer certificate template is
> configured to build the subject name of an issued certificate from
> Active Directory. Since the OP was talking about a couple of systems
> that are not domain members this obviously won't work. The second
> certificate will still have the requesting computer name information as
> the subject and it will be unusable from any system that has a different
> computer name. The certificate won't work on a system other than the one
> for which it was issued.
>
> >
> > Another options would be (probably the way I would do it) it to e.g.
take
> > Virtual PC (or VMWare if you prefer it) and join the VirtualPC to
domain.
> > This VirtualPC would get certificates needed so now you can export them.
> > Nice thing about this is you can give them different name -- and you
should
> > be able to tell who got the certificate based on computer name (not just
by
> > e.g. serial number). This is a better solution compared to first one. In
> > first solution all computer certificates would be named after your PC.
>
> Again, this is not going to work as you're talking about using the
> Computer template. Same reasons as above.
>
> >
> > Another option would be to use web interface
> > (
http://cert_server/certutil/...) and make a request based on IPSec
> > certificate template (IPSec Offline Request). This depends quite a bit
on
> > your VPN configuration. Main question is do you use IPSec and do you use
> > certificates for authentication. If you only use L2TP this won't help...
>
> This is the correct solution, though since the systems in question can't
> reach the CA, you'll need to request the certificates from a system that
> can reach the CA, and then make those certificates available to the
> external systems. The reason this solution will work is that this
> particular template is configured so that the subject name is provided
> in the request (you enter it in the web UI) rather than being built from
> Active Directory.
>
> >
> > I hope this helps. If you have any questions feel free to ask...
> >
> > Mike
> >
> > "Eddie Wedensworth" <auto3545@hushmail.com> wrote in message
> > news:9d76f9da.0408241451.61e4a65d@posting.google.com...
> > > First off, sorry for the crosspost.
> > >
> > > Yes, I'm using an Enteprise CA on a 2003 intrastructure.
> > >
> > > Are you saying I should request on my inside-the-network PC and export
> > > it? Would that mean if I already have a computer certificate on the
> > > inside of the network it would be identical when imported on the
> > > machine outside of the network?
> > >
> > > Thanks!
> > >
> > > Eddie
> > >
> > >
> > > "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> > news:<OTVgWjUiEHA.1356@TK2MSFTNGP09.phx.gbl>...
> > > > Hi Eddie,
> > > >
> > > > If I understand you correctly you have Enterprise CA. Can you tell
what
> > > > version is it? Windows 2000 or Windows 2003?
> > > >
> > > > What you are asking is possible using IPSec (offline request), but I
am
> > only
> > > > sure for Windows 2003 PKI (Enteprise PKI)...
> > > >
> > > > What you can do is e.g. request a certificate on your PC. Once CA
issues
> > > > your computer a certificate you export it and send it off on floppy
or
> > USB.
> > > > My advice is here to use strong password for protection of private
keys.
> > > > Send private keys in separate shipment or even better tell them over
a
> > > > phone...
> > > >
> > > > Mike
> > > >
> > > > "Eddie Wedensworth" <auto3545@hushmail.com> wrote in message
> > > > news:9d76f9da.0408231122.35ea9c78@posting.google.com...
> > > > > Here's my scenario: We're doing L2TP VPNs, and we have a very well
> > > > > functional internal PKI set up (doing EAP-TLS for interal
wireless, so
> > > > > it's well tested).
> > > > >
> > > > > In doing L2TP VPNs, we need to get certificates on the clients--a
User
> > > > > level certificate stored in the local computer store. That's easy,
we
> > > > > do it with autoenrollment and a GPO on the domain.
> > > > >
> > > > > However, I have 2 clients that are not part of my domain that need
to
> > > > > get a computer certificate. I can get them the certs for my Root
and
> > > > > issuing certificate authorities, that's easy, but how in the world
do
> > > > > I get them a computer certificate?
> > > > >
> > > > > Please note, they are completely disconnected. Our Certificate
server
> > > > > is not reachable from the outside world, nor are these computers
going
> > > > > to be toted into the office to be on my network anytime soon. I'm
not
> > > > > doing PPTP to get them in without certificates to make the
request.
> > > > > How can I make a request on their behalf and export something that
I
> > > > > can send via floppy or USB? We're not ready to do smartcards yet.
> > > > >
> > > > > Gratzi
> > > > >
> > > > > Edd
> >
> >
> >
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.