We have PKI setup in our lab with 1 root, 1 issuing CA and 1 CDP. We have an edge network in our lab using a RODC (Read Only Domain Controller) and a serverX in that RODC edge network. There is a firwall between the network that the root, CA and CDP are on, and the network the RODC and serverX are on. We do not have "certificate services client - credential roaming" enabled in Active Directory. We have a user certificate template and a computer certificate template. Both have autoenroll turned on in security, "Domain Users" for the user certificate and "Domain Computers" for the computer certificate. Neither the user nor the computer certificate is being published into Active Directory. Since serverX is behind a firewall, we would expect that it would not receive either the user or computer certificate from the issuing CA, without us having to open some ports and this is indeed what we are seeing. However, if we go into the local computer -> personal certificate folder on serverX, and then right click all tasks -> request new certificate, we will see the computer certificate as being available to request. If we try to enroll the presented computer certificate, it will fail as expected. How is the server certificate being presented as available to serverX if we have not opened up the ports on the firewall? How is serverX getting the list of available certs if it cannot contact the issuing CA?

> How is the server certificate being presented as available to serverX if we have not opened up the ports on the firewall? How is serverX getting the list of available certs if it cannot contact the issuing CA? Available certificate templates are queried from Active Directory, not from CA server.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

> How is the server certificate being presented as available to serverX if we have not opened up the ports on the firewall? How is serverX getting the list of available certs if it cannot contact the issuing CA? Available certificate templates are queried from Active Directory, not from CA server. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool. Even though we don't have the "Publish certificate in Active Directory" checkbox enabled on the certificate templates? What is that used for then?

> Even though we don't have the "Publish certificate in Active Directory" checkbox enabled on the certificate templates? it is not related to the subject. > What is that used for then? it is used to publish issued certificate to respective account properties in Active Directory. In most cases this certificate is used for shared EFS and secure email. Consider the following scenario: you want to sent an encrypted mail to other user. Outlook just gets recipient's certificate from Active Directory (public part of the certificate) and encrypts the message. Once received, recipient uses his/her private key to decrypt and read message. The same behavior occurs when you want to share encrypted file with other user. EFS client just gets other user's certificate from Active Directory and it is used to encrypt Data Encryption Key.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

Ah yes, that makes sense (and I even somewhat remember that portion of my PKI training now that you reminded me.... sort of anyhow). Thanks a bunch.