Forum Discussion
Certificate Authority - Autoenrollment
Hi Keith.
Excellent that you have a tiered CA structure!
To your issue with enrolling untrusted computers, I would like to raise the concern that autoenrollment's security in part depends on the computers authenticating, showing the CA that the computers identity has been verified and can be issued a cert because it is a known device.
If untrusted computers were automatically issues certs, what is to prevent a bad guy's computer from being issued one?
Not knowing what your business goals are, what should possibly be happening is that the computers in the untrusted domains should be issued certs in their own domains and a PKI cross trust be implemented.
https://msdn.microsoft.com/en-us/library/windows/desktop/bb540800(v=vs.85).aspx
It does depend on the goals, however.
Thanks
Ed
This can be achieved. But as Ed suggested that enrolling untrusted computers could be a problem.
Hence, what you would need to do is issue the first computer certificate during provisioning time of the machine and from thereon it can be auto-enrolled. In this manner you know the device is trusted by your organization and certs are not being given to unknown devices.
During provision time you will have to enroll certificates using Certificate enrollment Policy set to accept user authentication and CES too with user authentication. From thereafter the certs will be renewed from CEP/CES based on the original certs using cert based authentication.
This presentation can help you to understand better
https://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM329