How to request certificate from a non-domain computer
We using a Windows Server 2008 R2 Enterprise CA to issuing webserver-certificates (SSL). The CA-Server is a member of a AD-Domain and online. Now we want to request certificates from computers like Windows Server 2008 R2 or Linux Server which aren't member
of the domain.
How we can request certificates automatically with a script remote from these Windows Servers, for example ? Is it possible to use the "Certificate Enrollment Web Service" without the "Certificate Enrollment Policy Web Service" ?
Is it possible to use certreq in this scenario ?
Thanks for your help.
-
Edited by
Ewoki
Tuesday, September 27, 2011 3:49 PM
September 27th, 2011 6:34pm
Thanks for your reply. The link is the URL of this thread :-(... The problem is, that we don't have a inf-File. The request file will be generated by the "hardware" (HP-ILO-Webserver), which is running on a internal chipset on the motherboard.
Therefore we need a solution to submit a precreated requestfile.
September 27th, 2011 7:21pm
if you have request files you can automate certificate submission by scripting certreq.exe tool. Here is a simple example:
certreq -submit -attrib "certificatetemplate:TemplateCommonName" input.csr output.cer
September 27th, 2011 8:56pm
If I try this commandline I get a RPC-error. The firewall on the CA-Server is deactivated. The CA-Server and the requesting server are not in the same forest/Domain. To add username and Passwort doesn't solve the problem.
What could be the problem?
-
Edited by
Ewoki
Tuesday, September 27, 2011 8:01 PM
September 27th, 2011 10:58pm
you need to move all requests to a domain computer, because you need to be properly authenticated.
September 28th, 2011 8:39am
Now I have found a solution. Shortly I want describe the way:
Prerequirements:
1. ADCS Enterprise Certification Authority is installed
2. ADCS Certificate Enrollment Web Service is installed on a server
3. ADCS Certificate Enrollment Policy Web Service is installed on an other server
Steps to do:
1. Prepare a request-file for a certificate
2. On a computer which is not a member of the Domain/Forest of the CA-Service: submit the request to the CA and receive the issued certificate. The following command have to written in one line without line breaks.
certreq -submit
-Username {domain}\{username}
-p {password}
-PolicyServer "https://{FQDN CertificateEnrollmentPolicyWebService-Server/-Alias}/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
-config "https://{FQDN CertificateEnrollentWebService-Server/-Alias}/{CAName}_CES_UsernamePassword/service.svc/CES"
-attrib "CertificateTemplate:{TemplateName}"
{Enter Path and Name of the Request-File}
{Choose Path and Filename for certificate}
Sample:
certreq -submit
-Username contoso\Serviceaccount
-p P@ssw0rd
-PolicyServer "https://CAPolicyEnroll.contoso.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
-config "https://CAWebEnroll.contoso.com/IssuingCA1_CES_UsernamePassword/service.svc/CES"
-attrib "CertificateTemplate:MyOwnSSLTemplate"
request.req
sslcert.cer
3. Now you can find a file with your requested certificate locally in path you have choosen for the certificate-file.
I hope this will be helpful for other people enrolling certificates on non-domain member computers.
-
Marked as answer by
Ewoki
Wednesday, September 28, 2011 9:22 AM
September 28th, 2011 12:22pm
Hi,
Thanks for your feedback. This solution will benefit others who come to this forum.
Have a nice day!
September 29th, 2011 6:57pm
Hi all,
Is there any sample of code that can be used with CA Policy and Web Services instead of using "certreq" utility?
Thanks,
Ratko
-
Edited by
Stibra
Monday, February 18, 2013 7:16 PM
February 18th, 2013 10:16pm
-config "https://CAWebEnroll.contoso.com/IssuingCA1_CES_UsernamePassword/service.svc/CES"
This is weird, where exactly did this guy derive this URL from? Usually you have something like https://servername.domain.com/certsrv (which doesn't work).
Anyone else had any success with remote certificate request using certreq?
January 26th, 2015 7:30am
Interestingly, this is exactly what I was looking to do. I do have CES/CEP installed (just happened to be on the intermediary domain joined CA as well), but this was installed in "Windows Integrated Authentication" mode specifically for issuing
domain joined machine.
Now I want to issue a certificate to a non-domain joined machine (only a few) - I "think" the only way to set up CEP/CES using both 'Windows Integrated' AND 'Username/Password' authentication is via a PowerShell commandlet.
I too have issue connecting to the "normal" CertSrv website, but I do know that the URL outlined is to do with CEP and the authentication method used - in this case Username and Password.
I'm not sure why the actual CertSrv site in not functioning or if this is a side effect of installing CEP/CES, It seem a lot to re-configure currently installed CEP/CES to issue just a few certs, but if that's what it take, I'll have to look into it.
This page might be of u
January 31st, 2015 1:28pm
In fact, I think the URL show above refers to a CES running on the Windows 2008 machine (as this was posted back in 2011). The URL on the Windows 2012r2 is still convoluted, but not as convoluted as that mentioned.
However, I have just checked my CertSrv site again and it is working - not sure what happened here. So, for me (as there are only a few certs that need to be issued, the simple thing is to create a request manually, then past the Base64 text into the CertSrv
request handling page, then take the produced certificate and import it back to the non domain server.
https://technet.microsoft.com/en-us/library/ff625722%28v=ws.10%29.aspx#BKMK_CertEnroll
(using 'certreq' as suggested in the above article didn't work for me.)
January 31st, 2015 8:37pm