Issuing Certificates to a DMZ server

I'm in the process of setting up a PKI infrastructure for an SCCM 2012 environment. In order to manage travelling laptops over the internet, we installed a new Windows 2012 R2 server in the DMZ.  To communicate properly with the travelling SCCM clients, we need to install 2 certificates on this DMZ server.  This DMZ server is in a different forest/domain than the SCCM and CA server, with no trusts established between it and our production domain.  If it makes any difference, there is also no DNS forwarding, but I have added an entry to the hosts file on the DMZ server, and to the internal CA and SCCM servers (all Windows 2012 R2), so that they can resolve each other.

I've created the 2 certificate templates per the SCCM documentation on the internal CA server, but in the Security tab, there is no way for me to add the DMZ server for the "Read and Enroll" rights (since it's in another, untrusted forest.)  Since I can't enroll the certificates through the MMC console of the DMZ server, my next thought was that I could use the CA web enrollment method, and try to get certificates enrolled that way.   However, when I type in http://MY_CA_SERVER/certsrv, Internet Explorer spins for about 10-15 seconds, and then I get "Page cannot be displayed."  I added the webpage to the Trusted Sites in IE, but that did not help.  Visiting the CA webpage from a domain-joined computer works fine; it's just not working from the DMZ server.

Does this sound like a communications/port issue?  Between my internal domain and this DMZ server, I've currently got ports 80, 135, 443, 445, 1433, 8530, and 8531 open.  Do I need anything additional for Certificate Authority communication?  If I'm not approaching this in the correct manner, I'm also open to other suggestions on how to install these 2 certificates properly.

Thanks in advance for any advice.

May 1st, 2014 4:48pm

Hey there. The firewall in question is between my internal domain and the DMZ server (not the DMZ server and the internet). I spoke with the firewall expert, and apparently those ports weren't open between all domain computers and the DMZ server. The ports were only open between the SCCM server and the DMZ server.  We have now opened HTTP/HTTPS between the CA server and the DMZ server (at least temporarily), and I am able to load webpage for the CA, from the DMZ server.

Just to reiterate, I AM trying to use the certificate web enrollment services.  I just couldn't access the CA server webpage from the DMZ.  Now I can.

The next issue is that the certificate template was not showing up as an available option.  I read some other forums, which suggested that I need to change the template option to "supply in request."  I just did that, and I can see the certificate at this point.  I assume that I will need to manually specify the DNS name (since that is no longer built from the certificate).  Am I supposed to do that through the "Additional Attributes" dialogue box?  For example,

san:dns=<var>webserver.domain.com</var>

Am I on the right track here?

Thanks!<var></var> 

Free Windows Admin Tool Kit Click here and download it now
May 1st, 2014 8:20pm

> Am I on the right track here?

no. In order to use SAN attribute in web page, you have to enable SAN attributes on CA server (which are disabled by default). Once you enable SAN attributes, your CA will become vulnerable to malicious certificate issuance. Any legitimate user who has permissions to enroll for certificates (any) will be able to pass any custom SAN value and impersonate another user. This is one of the reason why we (and I always recommend to others) do not use web enrollment pages starting with Windows Server 2008 and Windows Vista.

> I AM trying to use the certificate web enrollment services.

again, no. Web enrollment pages (which you are trying to use) and web enrollment services are different things. Please, check wiki article (from my previous post) for more details about difference.

May 2nd, 2014 3:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics