I'm not sure this is in the right forum or not, but... I am trying to use CertUtil and CertReq to grab the client and trusted root certificates needed for Config Manager IBCM. The machine I tried this on is on the LAN with any/any port access but not on the domain. The batch file I'm trying to use looks like this: @echo off rem Make the certs folder mkdir c:\ClientCerts rem Specify Variables set subjectname=%computername% set certpath="c:\ClientCerts" set caserver="<IP of CA>\<CA Name>" rem Request & install Trusted Root Certificate certutil -f -config %caserver% -ca.cert %certpath%\CAcertificate.cer certutil -addstore Root %certpath%\CAcertificate.cer rem Create an INF request file with the specified computername as subject echo ;---------------CertificateRequestTemplate.inf-------------- >> %certpath%\%subjectname%.inf echo [NewRequest] >> %certpath%\%subjectname%.inf echo Subject="CN=%subjectname%" >> %certpath%\%subjectname%.inf echo KeySpec=1 ;key exchange >> %certpath%\%subjectname%.inf echo KeyUsage=0xf0 >> %certpath%\%subjectname%.inf echo MachineKeySet=TRUE >> %certpath%\%subjectname%.inf echo [RequestAttributes] >> %certpath%\%subjectname%.inf echo CertificateTemplate="ComputerClient" >> %certpath%\%subjectname%.inf rem Create the a binary request file from the INF CertReq -New -f %certpath%\%subjectname%.inf %certpath%\%subjectname%.req rem Submit client cert request to CA CertReq -Submit -f -config %caserver% %certpath%\%subjectname%.req %certpath%\%subjectname%.cer rem Install client cert certreq -accept %certpath%\%subjectname%.cer rem Delete certs folder RD C:\ClientCerts /S /Q And the INF file it generates looks like this: ;---------------CertificateRequestTemplate.inf-------------- [NewRequest] Subject="CN=<NetBIOS Name>" KeySpec=1 ;key exchange KeyUsage=0xf0 MachineKeySet=TRUE [RequestAttributes] CertificateTemplate="ComputerClient" This works fine on my domain workstation but won't work outside of it. On the laptop clients I get: "This computer was unable to communicate with the computer providing the server. 0x8000401d (-2147467235)" What is causing this? I have ensured that I can telnet to the CA over 443 and I'm able to access web enrollment just fine. Thanks

Does "certutil -ping" work?

Does "certutil -ping" work?

I don't think so - here's the output: C:\Documents and Settings\<user>>certutil -ping 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version 417.329.0: 0x80070002 (WIN32: 2) 417.596.0: 0x80070002 (WIN32: 2) 410.2618.0: 0x80070002 (WIN32: 2) 410.2633.0: 0x80070002 (WIN32: 2) 301.2585.0: 0x80070002 (WIN32: 2) 301.2824.0: 0x80070002 (WIN32: 2) CertUtil: The system cannot find the file specified. 301.3128.0: 0x80070002 (WIN32: 2) Is there an installer for certutil and certreq? I thought they were standard tools on an XP Pro machine, but apparently not. When I first went to run them, I got nothing so I copied certutil.exe and certreq.exe from my C:\Windows\System32 to the machine that is having problems. My machine runs this perfectly.

I tried again specifying the CA using the -config switch and got this: C:\Documents and Settings\<user>>certutil -config <CAServer>\<CAName> -ping 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version Connecting to <CAServer>\<CAName> ...425.185.0: 0x80070005 (WIN32: 5): <CAServer> 425.265.0: 0x80070005 (WIN32: 5) 425.400.0: 0x80070005 (WIN32: 5) 425.500.0: 0x80070005 (WIN32: 5) Server could not be reached: Access is denied. 0x80070005 (WIN32: 5) 310.2561.0: 0x80070005 (WIN32: 5) 310.2598.0: 0x80070005 (WIN32: 5) CertUtil: -ping command FAILED: 0x80070005 (WIN32: 5) CertUtil: Access is denied. 301.3160.0: 0x80070005 (WIN32: 5) What access do I need to set up? *** EDIT *** OK, so just for testing purposes, I added the workgroup machine I was trying to get certs for to the domain and it did the same thing, then I ran CMD as my domain admin account and ran the utility and it worked great. Is it even possible to use certutil to request certificates on a machine that is not on the domain?

OK, I've done some more testing - this is definitely a domain rights/permissions issue here. When the machine is on the domain and I log in as a user that is a local admin on the CA, everything works perfectly. Leave the domain and nothing works, so it has nothing to do with networking/ports/etc. I can't do a command-line runas on the certutil while its off the domain because it says unknown username/password. Can someone at least confirm that its possible to run Certutil/Certreq on a non-domain machine to retrieve certificates from a domain-joined Enterprise CA? Thanks.

You are trying to authenticate from a non-domain account to a service that requires domain credentials. You will need to authenticate somehow.First thing you'll need to figure out is if you can connect to the CA through DCOM by passing in credentials. I don't know if this can be done. If you can achieve this then you may be able to get certutil/certreq to run from a non-domain joined system.Also, certutil/certreq did not come on Windows XP machines. I believe it is now available on vista and up.Andrew

You are trying to authenticate from a non-domain account to a service that requires domain credentials. You will need to authenticate somehow.First thing you'll need to figure out is if you can connect to the CA through DCOM by passing in credentials. I don't know if this can be done. If you can achieve this then you may be able to get certutil/certreq to run from a non-domain joined system.Also, certutil/certreq did not come on Windows XP machines. I believe it is now available on vista and up.Andrew

I understand what you're saying, but this post: http://blogs.technet.com/momteam/archive/2008/06/02/obtaining-certificates-for-ops-mgr.aspx almost makes it sound like a no-brainer to use certutil and certreq to obtain Trusted Root and Client certificates, via command line or script, for, "machines in untrusted domains or DMZs (anywhere outside of Kerberos trust)" I need to be able to have a company laptop request and install these certificates on a post-install script after they are ghosted. Do you know of any other good method to deploy certificates to non-domain machines?

This post looks VERY similar to what I'm trying to do... http://social.technet.microsoft.com/forums/en-US/winserversecurity/thread/bfe69ab8-37ca-4ad0-be1d-7496222c9632 The only difference (and for me its key) is that the OP in that thread needed to figure out how to request certs on an untrusted domain whereas I'm trying to make this happen on a workgroup. If certutil/certreq is not going to work for me in a workgroup environment, what will? I hope I don't have to do this manually, because we sometimes ghost 50-60 laptops per day here and that would add a LOT of time to that process. Thanks

Reading through both items that you posted, I found the following items:From http://social.technet.microsoft.com/forums/en-US/winserversecurity/thread/bfe69ab8-37ca-4ad0-be1d-7496222c9632Item 4 clearly sates:4. The request file must be moved/saved to a location where a user with an account in the same forest as the CA will submit the request. This account must have Read and Enroll permissions on the CA. This account would execute the following commands from the blog.In your case, since you are enrolling for a machine cert then the machine needs an account in the same forest as the CA.I presume that the machine [laptop your are ghosting] is not joined to the domain. So, what account are you going to authenticate as to the CA.Let me ask the question another way. You would like to obtain a certificate for a workgroup machine. What do you want the subject name of the certificate to be? What is the purpose of this certificate; i.e. what are you using the cert for?Andrew

Reading through both items that you posted, I found the following items:From http://social.technet.microsoft.com/forums/en-US/winserversecurity/thread/bfe69ab8-37ca-4ad0-be1d-7496222c9632Item 4 clearly sates:4. The request file must be moved/saved to a location where a user with an account in the same forest as the CA will submit the request. This account must have Read and Enroll permissions on the CA. This account would execute the following commands from the blog.In your case, since you are enrolling for a machine cert then the machine needs an account in the same forest as the CA.I presume that the machine [laptop your are ghosting] is not joined to the domain. So, what account are you going to authenticate as to the CA.Let me ask the question another way. You would like to obtain a certificate for a workgroup machine. What do you want the subject name of the certificate to be? What is the purpose of this certificate; i.e. what are you using the cert for?Andrew

Hi, As Andrew stated,I am afraid that it is impossible to run Certreq on a non-domain joined machine to request certificate from an Enterprise CA because it cannot pass the authentication. From non-domain joined machine, you are going to come across as anonymous. In this case, you can submit the request on a domain joined machine and import the certificate to the computer store on the non-domain joined machine. It is similar to processing an offline certificate request.

Thanks for the replies... Andrew - I'm trying to come up with a client and trusted root certificate deployment strategy for field laptops that will be running Configuration Manager 2007 clients and connecting using Internet-based client management. The 2000 existing field laptops will be coming through our HQ and being re-imaged with an updated copy of Windows XP, the CM2007 client and the certs required for IBCM so that when they go back out into the field, they are ready to connect as soon as they're plugged into the internet. The subject name of the cert needs to be the NetBIOS name of the client (which I scripted into the request) using the %computername% variable. Joson - What certificate deployment strategy would you suggest in this case? I need to be able to do this relatively quickly so it doesn't slow down the imaging process. A post-install script would be ideal, but what is the next best thing? These machines are not (and hopefully will not have to be) domain-joined. The only thing I'm thinking about trying is a script that joins the domain, requests the certificates and then leaves the domain. Thanks again

Also, my plan is to use this script in my intranet environment as a logon script to get the intranet clients their certs - what ports will Certutil/Certreq need opened to the CA? Thanks

Just wanted to bump this up and ask another question: Would it be possible for me to request the client certificates on a machine that IS on the domain and then deploy them to the machines that are NOT on the domain? I tried using the SCOM CertGenWizard tool from HERE to do it, but when I install the resulting certificates to the workgroup clients, they do not say "You have a private key that corresponds to this certificate." in the cert - which is apparently required for SCCM clients to authenticate. Are there any offline certificate request strategies that will give the client computer a cert and private key? So far I have only been successful in getting the private key when I request the certificates from the clients themselves when they're on the domain. As I stated above, these certificates are for machines designed to be off the domain and I'd like not to have to join them to the domain just to request a certificate, if possible. Thanks.

Bump again - I really need some help on this. In response to Jason Zhou's post including this: In this case, you can submit the request on a domain joined machine and import the certificate to the computer store on the non-domain joined machine. It is similar to processing an offline certificate request. I would like to know if someone could point me to a document explaining how to do this and if it would give the non-domain joined machine a private key, which apparently Configuration Manager 2007 requires. Thanks

Thanks... I figured it out.

Hi there, I know this is a while after the event, but would really appreciate some assistance. i've got the same issue - workgroup servers, with no access to CA. Tried using the certgenwizard, however the .cer file it produces isn't working. TIA Nick

I tested the above script in my labGot this script working on a workgroup machineThe Certificate template "ComputerClient" -> gave "Anonymous logon" permissions and it worked like a charmHowever giving "Anonymous Logon" read and write permissions to the custom template "ComputerClient" maybe a security risk.

what ports did you have open between the machines? I just tried what you suggested and I'm getting the same errors as before.

Hi, all Also met the case as above descriped. we also want to do mass deployment of SCCM Client on the workgroup machines no in the same domain. And these client will be managed using native mode through the Internet based management. Tim & Adnan , what is the result of the case. By the last post, it seems only modify the permission won't work, and how about the detail setting? thanks advance. Lisa