Is the 'intermediate CA' the same thing as a 'subordinate CA.' I installed the CA services on the DC as a subordinate CA server, maybe it needs to be an Enterprise CA server?
Overview: Windows Enterprise running Enterprise CA Server publishing to AD Two windows standard running DC ====== Firewall ========== (DCs replicate via IPSEC) Two windows standard running DC; one running Enterprise subordinate CA server Workstations. -----Original Message----- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2008 4:22 PM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Our root CA is off line. I only fire it up every couple of months to keep it patched and update the CRL's. You will need an intermediate CA online somewhere to issue certificates. The problem is that, if you want to use certificate templates and modify the defaults, you need windows enterprise for the intermediate CA that actually issues the certs. Our root CA is standard, but the intermediate CA is enterprise. ...Tim > -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 26, 2008 1:06 PM > To: NT System Admin Issues > Subject: PKI Infrastructure / GPO Auto Enroll over Firewall fails. > > The plan was to user our SQL Server (the only Enterprise level server > we > have) to issue the root CA, publish it to Active Directory and use GPO > to push the computer certificate to the workstations. > > The plan _almost_ works.... > > The workstation fails on auto enrollment because it is sending out a > request directly to the SQL server (root CA server) to register the > certificate. (I see this via WireShark) The SQL server is behind a > firewall and we really don't want to open any more ports. > > Is there a way (that I'm obviously missing) to push the certificates > directly from AD (Server 2003 R2 STANDARD) so there is no required > communication back to the root CA Server??? I'm wanting all the > communication to come directly from the domain controller that is in > the same network. > > Do I need to set up the DC as a subordinate CA? > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
