Our root CA is off line. I only fire it up every couple of months to keep it patched and update the CRL's. You will need an intermediate CA online somewhere to issue certificates. The problem is that, if you want to use certificate templates and modify the defaults, you need windows enterprise for the intermediate CA that actually issues the certs. Our root CA is standard, but the intermediate CA is enterprise.
...Tim > -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 26, 2008 1:06 PM > To: NT System Admin Issues > Subject: PKI Infrastructure / GPO Auto Enroll over Firewall fails. > > The plan was to user our SQL Server (the only Enterprise level server > we > have) to issue the root CA, publish it to Active Directory and use GPO > to > push the computer certificate to the workstations. > > The plan _almost_ works.... > > The workstation fails on auto enrollment because it is sending out a > request > directly to the SQL server (root CA server) to register the > certificate. (I > see this via WireShark) The SQL server is behind a firewall and we > really > don't want to open any more ports. > > Is there a way (that I'm obviously missing) to push the certificates > directly from AD (Server 2003 R2 STANDARD) so there is no required > communication back to the root CA Server??? I'm wanting all the > communication to come directly from the domain controller that is in > the > same network. > > Do I need to set up the DC as a subordinate CA? > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
