Hi Guys, Interested to hear some ideas relating to an issue that has popped up regarding SHA256 crypto and compatibility problems with windows XP. My environment is a 2-tier windows 2008 r2 based PKI. The root is an offline root, with both tier CA certs and CRLs published to a web cluster. OCSP is enabled and registered in the certificates to use with those clients that support it. The CRLs and certs are also published to ADDS. The maximum key length is 2048 bytes and the Cryptography provider is MS Software KSP with SHA256 hash algorithm. I want to deploy certificates based on the default workstation certificate to my organizations workstations in order to implement 802.1x auth. The workstation environment consists of 50% Windows7 and 50% WindowsXP SP3. We aim to phase out windows XP SP3 completely in about 6 months. There are a few hundred workstations and I have been able to deploy the certificates to the Windows7 workstations successfully using auto-enrolment services. However the Windows XP SP3 workstations have difficulty with autoenrolling. I have reviewed this blog post http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx and discovered the limitations of Windows XP SP3 with a PKI that utilizes SHA256. I have installed the hotfix from KB968730 on my windows XP machines and I can manually enroll from the certificates MMC snap-in from the windows XP machines. My issue is, with about 100 windows XP workstations left to go, I want to find out if is there an out of the box command-line version of the certificates.mmc enrolment process for a computer certificate that I can use that comes with XPSP3 (without having to install certutil). What other options do I have to deploy workstation certificates to about 100 XP computers? Kind Regards Aaron Bowden

Thanks Vadims, I ended up just manually enrolling the certificates on the machines that were having troubles. Kind Regards Aaron

Hi Aaron, I have a question for you regards your setup. I also am trying to get some Windows XP machines connected to our wireless network using EAP-TLS. I'm getting an error when trying to use a computer certificate, stating "unable to find certificate to login with". Are you using computer or user certificates? Regards, Hugh

Hi Hugh, We are using computer certificates. One of the major features we are using the PKI for is to implement wired 802.1x authentication with EAP-TLS. Once I installed that hotfix from KB968730, I was able to enrol the workstation certificate. Regards, Aaron

Hi Aaron, I have installed the hotfix already which fixed the enrollment issue, but am still getting the certificate not found issue. The certificate appears in the local computer certificate store, but when I try and connect to the wireless network, I'm getting the error about unable to find a certificate to login with. Are you manually requesting the certificate for each workstation, or is it being autoenrolled? I'm wondering if it's because it's being autoenrolled and there's something missing in the certificate. I created a "Wireless Computer" certificate template, based of the "Workstation Authentication" certificate template with the following changes. Changed the validity period to 6 months as required for our envrionment.Subject Name format, changed from blank to DNS name (This fixed the no certificate found error on Windows 7)Subject Alternate Name to UPN instead of DNS nameAssigned a group to have Read, Enroll and Autoenroll permissions (All wireless computers needing a certificate are added to this group). Regards, Hugh

Aaron, I worked out what my issue was. There's a registry setting for Windows XP SP3 that forces the authentication mode to use computer authentication. Here's the location of the entry and the setting value. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global DWORD Name: AuthMode DWORD Value: 2 After setting this value and rebooting, it connected without an issue. Regards, Hugh