CEP / CES certificate enrollment issue

Y

Yhnis

Hello all,

We recently deployed a new two tiered PKI solution with an offline rootca and a single subordinate ca. The offline root ca is not joined to any domain, the sub ca is joined to domain1. This is working as expected and certificates can be requested within domain1.

However we've also got another domain, domain2. Computers within domain2 must also be able to request certificates using the same infrastructure. To make this possible we have configured Certificate Enrollment Web & Policy Service (CES & CEP). Both roles are configured on the same VM. And the roles are configured as described in the following technet article:

Test Lab Guide: Demonstrating Certificate Key-Based Renewal

After configuration I've tested for the possibility to request a certificate using the URL of the web enrollment server.

The first test I did was using a non domain joined test machine.

I do this from MMC > add certificates > all tasks > advanced operations > manage enrollment policies > ADD, where I entered the enrollment policy server url. After creating this enrollment policy, I can use it by requesting a new certificiate and selecting the newly created enrollment policy. Which asks for credentials. I enter credentials from a domain1 user which has permissions on a template. And voila... I can request a certificate.

However here comes the issue. I expected my certificate infrastructure to be ready for use within domain2. So I started testing this out. First of all, all communication between certificate requestor and cep/ces server is over port 443. So this port has been opened between all machines from domain2 and the server which has the cep/ces roles. Now I try to create the enrollment policy manually on a test machine in domain2:

MMC > add certificates > all tasks > advanced operations > manage enrollment policies > ADD, where I enter the enrollment policy server url. I click validate and the wizard asks for credentials, I enter the same credentials from the user in domain1 who has permissions over the template I want to use. After a long wait the following message is shown:

1207666.png

I am certain that the server I configure can communicate with the cep/ces server(vm1-cep01), this process has been tested on multiple servers though and every server in domain2 gets a timeout while trying to use the same url for the test which works on non domain joined machines. The non domain joined machines are in the same vlan as the machines in domain2. At the same time the request of certificates using the non domain joined machine all works as expected.

From the domain2 machine, I can resolve dns to the correct IP, I can telnet to port 443 to cep/ces server. I did a wireshark capture and i can see the servers are exchanging packets. However at a certain point in the communication a reset bit is send and communication between certificate requestor from domain2 and cep/ces server is stopped.

Wireshark capture screen:

1207669.png


Could anyone explain this behaviour.

I cannot wrap my head around the issue, the cep/ces infrastructure seems to be working while requesting a certificate from a non domain joined machine, when using any machine from domain2 i cannot add a new enrollment policy because of the timeout error. While at the same time I verified that there is communication between the cep/ces server and the requesting server.

Continue reading...
 
Back
Top Bottom