Why would I want to publish certificates to AD?
Hi Folks, This may be a n00b question, but I'm unsure about why it's desirable to publish certs issued by the online enterprise issuing CA to AD. I notice each template has a 'Publish Certificate in Active Directory' checkbox on the general tab, but I'm unsure whether to do this or not? What advantages might there be in publishing a cert to the AD? Should I do it for users but not computers? Any info appreciated, and thanks, Ian
July 11th, 2011 11:34pm

Publishing an issued certificate to AD has two main reasons: The first is when you want to restrict the issuance of certificates from a specific template so that reenrollment is not possible unless the published certificate has been removed from AD The second reason is when it is necessary to make the certificate available to other AD users or services. A good example here is S/MIME where you need to publish the users certificate so other users can find the recipients certificate to be able to apply S/MIME. Generally speaking, authentication for users and computers certificates are never or very seldom published in AD. /Hasain
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2011 12:07am

Thanks Hasain!
July 12th, 2011 12:39am

> Generally speaking, authentication for users and computers certificates are never or very seldom published in AD this is not quite correct. Authentication certificates (based on Administrator and/or User and some more templates) are configured for a certificate publication. This can be used for non-interactive logon (by using explicit mapping) like IIS integrated authentication, VPN, Wireless, etc. These authentication forms supports both implicit and explicit certificate mapping. In this case DC checks if a presented certificates is stored in the user's account properties.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2011 1:39pm

Certificate mapping is not the same as publishing a certificate to AD! Please refer to the TechNet article: Map a certificate to a user account http://technet.microsoft.com/en-us/library/cc736781(WS.10).aspx /Hasain
July 12th, 2011 4:43pm

of course not the same. But it requires a published certificate in AD.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2011 8:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics