-1

I need to create a certificate for a computer (already added in the domain). This service just begun and we've had basically no training which is why I'm looking for any assistance you can give me.

To resolve the above query, we have accessed the server in which the CA is in. Went into MMC and added the snap-in for certificates. In here we chose the Computer account, added the computer name and gladly it was found in the domain. We have finished this procedure and saved the console.

We thought we had completed the request but unfortunately, in the computer we added, the client can't see the computer certificates although they have ran a gupdate /force.

What am I missing? Every time I open an MMC its completely empty. Do I first have to import something here before creating a certificate snap-in for the computer account?

The server is in production so I can't be doing any changes or work that will require a reboot

I would appreciate any assistance you can provide.

Leo
  • 1
  • I don't have any idea what you're asking or what you're trying to do. Is your problem with an MMC console or is it with a client certificate? How about giving us some details about your environment as well. – joeqwerty Aug 08 '17 at 23:15
  • @joeqwerty Thank you for your response. So, the Certification Authority is currently in a Win Server 2012. From this server, our team manages the CA and all certificates issued by this CA. In this specific request we received last week, we were asked to create a certificate for a computer account. They provided the computer name and we added it using the MMC certificate snap-in from the server. After this we contacted the client and asked them to confirm the resolution but they said that they still can't see the certificates from the computer we added. Trying to figure out what i'm missing... – Leo Aug 08 '17 at 23:34
  • 1
    Due to the private / public key nature of the certificate, the computer creates a CSR and submits it to the server. The server signs it and sends it back to the computer. The server has to support issuing the type of certificate you are requesting. I.e. Computer authentication, server authentication, user authentication, etc. it is usually done autonomously using auto enroll on a domain. The process does not start at the server. – Appleoddity Aug 09 '17 at 00:13

1 Answers1

0

When you create a certificate signing request you need to send it to a trusted CA to get it signed. This is fairly simple with AD certificate services installed on one of your servers, which it sounds like you already have I think. To issue a certificate you use the CA and certificate template snapins, not the general certificates snapin for the computer, which install when you set up the CA authority.

Jim ReesPotter
  • 308
  • 2
  • 10
  • Hello Jim. My client is going through the CSR request using the same stepts as described in: http://www.entrust.net/knowledge-base/technote.cfm?tn=8924. Unfortunately, he is stuck in step 13 where he would choose the certificate and its here where we can't determine whats going on. The error he receives is "Certificate Types are not available". He is using an local administrator account in the computer. How do we get a machine/computer to list the certificate on step 13 of the link above? Does the admin account not have permissions to enroll? – Leo Aug 09 '17 at 14:09
  • Investigating a little bit further, we work with an integrated CA and our client is using a local admin account. I believe that the issue may be with the local account they're using. They would need a domain admin account with the proper permissions to enroll. Does this sound correct? – Leo Aug 09 '17 at 14:47
  • I have confirmed with the client. As mentioned, he is using a local admin account trying to generate the CSR which is where he can't see the certificate. I asked him if he would use a domain admin account with permissions to enroll but he said he does not have a domain account. Could anyone suggest our next steps? Would this be solved with a domain admin account that has permissions to enroll? – Leo Aug 09 '17 at 15:23
  • Ok so you're creating a web server cert request to be cut+posted into a request signing website (with no ADCS involved) - sorry, got wrong end of the duck there. Has he definitely chosen custom request in the step before? There should be loads of docs online as to how to create a web server certificate request - check what he's doing against other descriptions too. That one looks spot on from what I can see.. – Jim ReesPotter Aug 09 '17 at 15:25
  • Correct Jim, our client just chose the custom request in the step before and he is able to open the properties and choose according to what he needs. I have asked and will soon confirm with the client if he is in fact creating a web server certificate request. If he is, I could then address him to an online doc such as the one provided before (http://www.entrust.net/knowledge-base/technote.cfm?tn=8924), correct? – Leo Aug 09 '17 at 16:45
  • Just received confirmation, which creates more questions than answers. He is **not** requesting a web server certificate but is requesting what he calls "machine certificate". He is using the local admin account to request certificate in which he can't see it listed from the CSR request. Is a CSR the way one would request this machine certificate? – Leo Aug 09 '17 at 17:02
  • In this case, it looks like that the correct procedure would be to Configure the Workstation Authentication Certificate Template: https://technet.microsoft.com/es-cl/library/cc732966(v=ws.10).aspx This looks like the option he needs but sure if this is done directly from the computer or If I can run this process through the server in which the CA is in. – Leo Aug 09 '17 at 17:19
  • The certificates need to be requested. The CA authority will issue the resulting cert, either automatically or after someone on the CA authority console approves it. You'll need to enable the cert template in CA authority and set enroll permission in the template security settings. – Jim ReesPotter Aug 09 '17 at 18:07
  • The certificate is requested from the user's end, that would be step 1, then? He will need a domain account for this? I've been reading that Enterprise admins and Domain admins are required to submit a computer certificate through a CSR. Or would I need to enable the cert template and set to enroll before the certificate is requested? – Leo Aug 09 '17 at 19:53