Suspended
- Joined
- 15 Jul 2005
- Posts
- 1,236
- Location
- UK
Hi all,
I am hoping that you are able to help me,
I am currently configuring a CA for our work environment, and im confused on the method of deploying certificates through the CA
I understand that you would need to duplicate a certificate template, and then amend the security permissions to allow certain user accounts \ computers to enrol the certificate, and then request \ enrol them from the client end.
This is great, but when I do it, the CA always creates the certificate with a public and private key attached, I understand that its best practice to keep the private key on the certificate that’s based on a server, and then on the client machines, they just hold the public key only. This will prevent anyone trying to extract the private key from the certificate.
I am currently creating a certificate on the CA to one machine only…… then exporting the certificate without the private key, and then im deploying the certificate (with public key only) through group policy. Is this the way to do it? I always thought certificates were dished out by the CA so you wouldn’t need to manually deploy them through group policy, or does everyone have the private key attached to certificates that are on workstations?
I could be missing the point all together as I have done a lot of reading on the net, and they all suggest the above method., if so, can someone clarify it for me?
Thanks for reading!
I am hoping that you are able to help me,
I am currently configuring a CA for our work environment, and im confused on the method of deploying certificates through the CA
I understand that you would need to duplicate a certificate template, and then amend the security permissions to allow certain user accounts \ computers to enrol the certificate, and then request \ enrol them from the client end.
This is great, but when I do it, the CA always creates the certificate with a public and private key attached, I understand that its best practice to keep the private key on the certificate that’s based on a server, and then on the client machines, they just hold the public key only. This will prevent anyone trying to extract the private key from the certificate.
I am currently creating a certificate on the CA to one machine only…… then exporting the certificate without the private key, and then im deploying the certificate (with public key only) through group policy. Is this the way to do it? I always thought certificates were dished out by the CA so you wouldn’t need to manually deploy them through group policy, or does everyone have the private key attached to certificates that are on workstations?
I could be missing the point all together as I have done a lot of reading on the net, and they all suggest the above method., if so, can someone clarify it for me?
Thanks for reading!