Configuring CAWE, CES/CEP and NDES on one server separate from a Certificate Authority

G

Glenn Poole II

Dear Forum Team,

I'm building a PKI system for a network. We will have an Stand-alone offline Root CA and Subordinate Issuing Enterprise CA. We have domain-joined Windows servers (all 2012) and workstations (Windows 10). We also have several non-domain joined Linux servers running RHEL or CentOS, scores of devices that serve web consoles and a lot of network devices that need to be enrolled with certificates. I'd like to install all of the following on a third server (a "Registration Authority"):

  • Certificate Authority Web Enrollment (CAWE)
  • Certificate Enrollment Web Service (CES)
  • Certificate Enrollment Policy Web Service (CEP)
  • Network Device Enrollment Service (NDES)
  • house an http publication point for the CRLs and Certificates

I'd like to run CES/CEP with Windows Integrated Authentication and run all four services under a single, properly delegated domain service account.

In a test environment, I have only the following working:

  • the Offline Root CA
  • The Subordinate Issuing CA
  • the http publication point for CRLs and Certificates
  • CAWE

I cannot get CES/CEP or NDES to work

So my opening question is: Can I even put all four of these on one server?

If the answer is "yes", then I need direction to discover what's failing... Is it service account delegation problems? Is it certificate template mis-configuration or issuance? Is it IIS mis-configurations?

I have done a lot of research on this subject and tried a lot of things, so if you have some ideas to direct me, I can provide logs and details of specific certificate, IIS, service principal name, etc. configurations.

Thanks,

Glenn

Continue reading...
 
Back
Top Bottom