From 389 Directory Server
The following set of howto's will provide instructions on how to enroll for different types of certificates using our Auto enrollment proxy.
Contents |
[edit]
Automagically
Once the AEP service is started, windows , automagically figures out that a PKI enrollment service is available and if the domain controller doesn't have a cert, it puts in a request to get this cert. If you don't see this happen, then follow the manual instructions to get a cert as stated below.
[edit]
Manually - Using MMC
- HowTO: Windows Domain Controller certificate enrollment
- HowTO: Windows WebServer Certificate enrollment
[edit]
Manually - Using Certreq
- use certreq to create a certificate request.
- use certreq to submit the request to a CA
- use certreq to install the certificate.
- Verify that the certificate is now available under Certificate -> Local Computer -> Personal -> Certificates in MMC
certreq -new request.inf dc-cert-request.req certreq -submit dc-cert-request.req dc-cert.cer certreq -accept dc-cert.cer
request.inf sample file
[Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=optimusvm10.three.com" KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 [RequestAttributes] CertificateTemplate = DomainController
[edit]
Running certreq silently
Use the following sample command to run certreq silently. This will get a certificate issued and write that to a file.
certreq -f -v -config "optimusvm12.japan.com\Certificate Authority - SUBCA - celeno.dsqa.sjc2.redhat.com" -submit dc-cert-request.req dc-cert.cer
