I'm running Server 2012 R2 CA's with V3+ certificates. Prior to this I was running Server 2008 R2 CA's with V1/V2 certificates.

I understand that that the Web Enrollment page (CertSrv) cannot display/issue V3+ certificates. Apparently this is due to the lack of support for KSP vs CSP. Is this correct? Can someone elaborate on this at all? I'm trying to gather as much information on this as possible so that I can better explain it to my peers who have only ever used the CertSrv page for requesting certificates.

Also can someone give some clarification on why I must request a V3 Web Server certificate as a Machine rather than a User? Is there any way to request a V3 certificate such that the "Requester" name shows a user name rather than a computer name? How did the CertSrv site accomplish this with V2 web server certificates?

Example:

I must use "certlm.msc" or "certreq -enroll -machine" to request a Web Server certificate (intended purpose=Server Authentication).

Thanks!

Mike

At first, one clarification: you are talking about certificate template version, not X.509 certificate version.

Yes, V3 certificate templates are not supported by Enrollment Web Pages. Starting with Windows Vista, direct computer certificate enrollment is no longer supported. This functionality was removed due to security reasons. Nowadays web enrollment is barely useful and its main purpose is to support user certificate enrollment when certmgr.msc is not available.

> Also can someone give some clarification on why I must request a V3 Web Server certificate as a Machine rather than a User?

because web server certificate represents machine host, not user and IIS (and other services) uses local machine certificate store to locate for server certificates.

> Is there any way to request a V3 certificate such that the "Requester" name shows a user name rather than a computer name?

no. When you request for computer certificate, current workstation is authenticated on CA server. User is not authenticated there during this process.

>  How did the CertSrv site accomplish this with V2 web server certificates?

Starting with Windows Vista, this functionality is removed from web pages.

> I must use "certlm.msc" or "certreq -enroll -machine" to request a Web Server certificate (intended purpose=Server Authentication).

it is correct way.

Thanks for the clarification.

Do you know why I am able to request a WebServer certificate based off a V3 Certificate template under a user account when using the following certreq command and providing it a CSR generated outside of the MS CA?

certreq -attrib "CertificateTemplate:WebServerV3Template"

As previously mentioned, requesting the same certificate using the below command uses my workstation name as the requestor and doesn't allow a user account to request certificates based on this template.

certreq -enroll -machine "WebServerV3Template"

The difference between the two commands is the security context.

certreq -attrib "CertificateTemplate:WebServerV3Template"

In this command, you are missing that you are submitting the actual CSR. Hence, the keypair was remotely generated and a *user* is submitting the request to the CA. The issued certificate (best a p7b) is then returned to the machine where the request (and key pair) was generated, and tied back to the key pair.

certreq -enroll -machine "WebServerV3Template"

In this command, you are generating the actual request in the security context of the machine (-machine). The key pair is generated as part of the command *on the local machine*. It is the machine computer account that is submitting the request to the CA. Because of this, the machine must be a member of the forest, so that the ACE on the certificate template can assign the computer account Read and Enroll permissions

HTH,

Brian