Hi Everyone I am using windows server 2008 R2 and IIS 7.0 installed with Active Directory and AD CA installed. I have created a self signed certificate and deploy it successfully to the default web site. In IIS i set the client Authentication to "Accept Client Certificate". I create client certificate from the utility "http://localhost/certsrv", Issue the certificate from the CA Athority and install it to client machine running Windows XP SP2. Went back to the ISS and set client Authentication to "Require Client Certificate". This works fine for me. However i doubt if this is the approach to be followed at production machine where we cannot afford to change client Authentication option at server each time we want to issue a certificate for a new client. My Questions is, What is the recommended approach/procedure to generate and distribute the certificate(s) to the clients. Also whether i can use the same certificate generated above and distribute it to all the clients i want to have the access on my site? OR Do i need to generate multiple certificates so that each client will have his own unique certificate to access my site? Regards Adeel AslamRegards Adeel Aslam

I think you need autoenrollment: http://technet.microsoft.com/en-us/library/cc778954(WS.10).aspx by using autoenrollment you will be able to automatically distribute certificates to end users/computers.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thanks for reply. Actually my scenario is that the clients can not be able to access my CA directly, as they are disconnected and distributed. Also the client machines / users are not in my domain. Now What i want is to generate a single client certificate only once and provide the generated client certificate to the client via USB drive or email them. Now let me know how i can do this. Regards Adeel AslamRegards Adeel Aslam

you will have to generate separate certificate for each user (entity). It is bad idea to share the same certificate between two or more users.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thanks Vadims Podams for your reply. If i want to generate separate Client certificates for each client then I have to give the url "http://10.0.0.1/certsrv" to each client so they will access the above URL and generate there own web browser client certificate., But what if my clients are not on the domain so how they will access Client Certificate URL to generate their Certificates, Can it is possible to generate myself the client certificate for different clients and then provide the certificate to them separately through email or USB flash drive. Regards Adeel AslamRegards Adeel Aslam

Hi Adeel, To domain users, use certificate autoenrollment policy. To non-domain users, use certificate web enrollment url http://10.0.0.1/certsrv. To users in external network, use VPN to dial-up into internal network.Regards, Rick Tan