Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Issuing Web Browser digital certificates

0 views
Skip to first unread message

william....@gmail.com

unread,
Oct 27, 2005, 9:39:09 PM10/27/05
to
Hello ..
My company would like to have an offline Windows Server 2003 standalone
Certificate Authority. This CA would issue SSL certificates for an
Extranet. Users would either be sent a certificate to install or a tech
from or company would visit each client and perform the install.

My issue is that I am only aware of using the certsrv web that comes
with certificate services to request and install certificates for web
browsing. I am really not sure how to initiate a request at our offline
CA server on behalf of each user, how to generate the file, and how to
install the file in their personal certificate store in Internet
Explorer manually.

I know this isn't the most secure thing to do .. using the web based
certificate request/install is the best idea, however, they'd like the
server to be offline, and have techs install the certificates in each
users profile manually. Any ideas on what I need to do? I looked at
certreq.exe but was having issues with the policy.inf file.

Any advice or info is appreciated.

Thanks!
william....@gmail.com

Brian Komar [MVP]

unread,
Oct 27, 2005, 11:06:07 PM10/27/05
to
In article <1130463549....@f14g2000cwb.googlegroups.com>,
william....@gmail.com says...
Have the Web servers generate their Web Server certificate requests, and
then forward the PKCS#10 request files (.req or .txt) to a person with
access to the Web server. Then submit the request using the Web
enrollment pages (http://webserver/certsrv).
For IIS, this can be done in the IIS wizard by choosing to submit the
request to a commercial or offline CA.

The request would be pended by default. The certificate can then be
issued and the released certificate exported to a Base64 file for
installation at the Web server.

This will work for most Web servers out there, including non-IIS
servers.

You will have to do more though:
- Make sure that the offline root is added to the trusted root store of
all clients and web servers that will connect to the Web server
- Ensure that the web server's CRL is published to an online server.

HTH,
Brian

william....@gmail.com

unread,
Oct 27, 2005, 11:32:21 PM10/27/05
to
Thanks! I was able to generate the certificates for IIS, and SSL is up
and running for the Extranet.

I also copied the root cert from the certificate server and installed
it on a test machine.

My issue is that each client also needs a certificate, since we require
client certificates to access the site. The app (.NET) reads in each
individual cert and parses the username and other info. So, I need to
create requests on the certificate server for each person and install
this cert into his/her browser. I am having an issue on how to generate
these requests (I'd normally have the user visit our certsrv site,
request the cert, then I'd approve it, and they would go back, and
install the cert). But since this server won't be on the WWW I need to
create each request and have the cert installed on the user's pc. I
tried to generate a request on the cert server using the certsrv web
app, approved the cert, and then copied it to a file, however it didn't
work once installed on the client pc.

Thanks again ..
Bill

william....@gmail.com

unread,
Oct 27, 2005, 11:33:12 PM10/27/05
to

william....@gmail.com

unread,
Oct 27, 2005, 11:33:14 PM10/27/05
to
0 new messages