On Wed, Sep 27, 2017 at 02:31:12PM +0000, Lelio Fulgenzi wrote: > The hardest part was finding some decent instructions on how to do so. > Apparently, when a private signed certificate is generated and granted it's > available for download from the link presented during the process and there's > no easy way to find an inventory of generated certificates!
The Windows CA service implements access via several different methods, a web portal, a command line option, and an API. Machines in a Windows AD can request services from the CA server via whatever way. Since there are several ways of doing things in Windows, it all depends on what you are doing, as to what the instructions are. If you are doing things by hand, typically you would be using the web portal. I find the easiest workflow for me is to have a secure area set aside to store all the stuff going in and out. My process typically has the keypair and certificate signer request being done by hand with OpenSSL, although you can use certtool if you really want. Then I pass the CSR into the windows CA and get back the signed response, saving each part along the way rather than being on the fly. It should be noted the CA server never stores private key-pairs itself, and basicly is really as it says, it signs the request and hands it back to you. If you lose the private key, you can't recover it form the CA. If you let the web portal have your web browser generate a key-pair and CSR, then you are going to have to go dig that information out of wherever your web browser stashed it (different for every single one). Its best to start with you generating it specificly and stashing the files securely where you can access them. You can easily see all the Issued Certificates from the Certificate Authority MMC plugin. (eg. under Issued Cerfificates). There are command line tools to do this as well. Typically, you'll have many certs, all in various states, so its not like there is a mastory inventory here which is what you seem to imply on wanting to find. The CA server is just a signer. In the Enteprise, you get all your workstations to trust your CA, you submit a cert req to the signer CA, it signs it, so then all your workstations trust your new cert. _______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
