Are multiple PKI Enterprise objects supported in Active Directory?
Hi all, I have a requirement of having multiple PKI's in an Active Directory domain. For example, one PKI only for devices, and one PKI only for users. I notice that the Active Directory AutoEnrollment feature seems to rely on the "Enterprise PKI" object that is defined in the Active Directory structure (in ADSI Edit: CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=<your domain>). I tried to manually add multiple pkiEnrollmentService objects there, but I didn't have much success with that. Is there an option to have multiple pkiEnrollmentService objects and to differentiate between them based on what type of object (user vs. computer/device) needs a certificate for AutoEnrollment? Thanks in advance.
April 18th, 2011 12:28am

yes, multiple PKI's are supported. If you need to separate CAs by a type (one for users and second for devices) a best practice will be: 1) create single root (offline is recommended) and publish it's certificate to RootCA AD container (certutil -dspublish -f rootca.crt RootCA) 2) setup Enterprise Subordinate CA for users 3) setup enterprise Subordinate CA for devices. p.s. you cannot manually create AD records for CAs as it is not supported. These entries are automatically added to AD during Enterprise CA setup.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2011 2:23am

Thanks for the answer. Unfortunately, the CA structure branches already into users and computers well before it actually gets into my organization. So I will have to create two independent CA's, both on enterprise level. The common root is outside of my AD. Is this setup supported as well?--Georg
April 18th, 2011 5:14am

Yes, you will have to install two Enterprise CAs (though they might be under single root).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2011 8:17am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics