2

Good day,

  • I have a CSR (certificate signing request) file, which was generated on some remote non-domain station.
  • I have created some AD user account.
  • I have Enrollment Agent certificate signed for my own account.

The question is: can I somehow submit this CSR to an Enterprise CA for signing on behalf of this user account? Preferably from command line (but not necessary)?

Different pages I found on this topic only demonstrated, how to create fresh new CSR on behalf of domain user (using .inf file), and then submit it to CA (example). But can I do it with existing CSR, not created by myself?

Cat Mucius
  • 155
  • 1
  • 11
  • What is your exact goal? Why not to put all info in the request and submit it to CA server? Don't see any real reason to use ROBO in this scenario. – Crypt32 May 29 '17 at 16:24
  • The goal is to link a certificate, created on some remote standalone station, to a domain user account, so the person or the station having the certificate could authenticate as this user. Well, technically, I can use some free-subject template and put all info in the CSR. Or login as this user on a domain-joined station, and then just submit the certificate with his credentials, like: `certreq -submit -attrib "CertificateTemplate:template_name request.csr`. But it seems that the most convenient way is just use the "enroll on behalf" option. I wonder if it can be done with existing CSR. – Cat Mucius May 29 '17 at 20:56
  • Yes, it is preferred. ROBO operations with non-domain entity makes little sense. Primarily, ROBO is used for initial smart card deployments. – Crypt32 May 29 '17 at 21:00
  • If I understand right, I can do this: 1. Extract public key from received CSR, 2. Create a new CSR with this public key, adding the AD user information to the Subject (DN or UPN), 3. Submit this new CSR for signing, specifying a free-subject template. – Cat Mucius May 29 '17 at 21:21
  • 1
    You can't do this, because inner PKCS#10 request (with client's public key) must be signed by using client's private key. – Crypt32 May 29 '17 at 22:25

0 Answers0