Hi,I have an question about issuing computer certificates to computers that are not joined to our domain. I have an enterprise 2003 CA which is on our LAN and is issuing computer certificates via auto enrolment. I would like to use this same CA to issue computer certs to clients on the internet only via Web Enrolment. I dont have a lot of experience with PKI, so I am looking for advice on the steps involved to achieve this. How can I enable Web Enrolment securely on my LAN based CA (make available only over https) Will securing IIS have an effect on my current configuration of Auto Enrolment of Certificates? Do I need to setup special permissions on the Certificate Template for Web Enrolment? What ISA configuration is required? Any advice would be appreciated, Thanks, Sean.

Hi, Thank you for your post. Please check the answers below: 1. How can I enable Web Enrolment securely on my LAN based CA (make available only over https)?You can request a WebServer certificate and bind it to the web site on the Web Enrollment server. If you want the web site to require SSL communication, please click the Require secure-channel (SSL) check box.For more information, please refer to the following article:How To Set Up an HTTPS Service in IIShttp://support.microsoft.com/kb/324069 2. Will securing IIS have an effect on my current configuration of Auto Enrolment of Certificates?No. 3. Do I need to setup special permissions on the Certificate Template for Web Enrolment?What is the computer certificate used for? If it is used for Server Authentication, you can enroll the Web Server certificate for the computer.In this way, you just need toensure that the user account requesting the Web Server certificate has been granted the Enroll permission for the Web Server certificate template.To enroll the Web Server certificate, access the web site, click Request a certificate, click advanced certificate request, click Create and submit a request to this CA, select the Web Server certificate template, type the appropriate information, select the Store certificate in the local computer certificate store checkbox, click Submit and install the certificate. 4. What ISA configuration is required?Publish the 80 and 443 ports. For a security purpose, you may consider installing the Certificate Service Web Enrollment Support component on a separate server. In this way, you can publish that server instead of the CA to the Internet. In addition, please ensure that the non-domain joined client computers can access the AIA and CDP locations of the certificate. Thanks.

Hi,Many thanks for your reply. It has cleared up a lot of confusion for me as I don't have much experience in this area.Thanks Again,Sean.

Hi, Glad that the information is helpful. If you have any further questions and concerns, please feel free let us know. Have a nice day.