G
Glenn Poole II
Dear Forum Team,
I'm building a PKI system for a network. We will have an Stand-alone offline Root CA and Subordinate Issuing Enterprise CA. We have domain-joined Windows servers (all 2012) and workstations (Windows 10). We also have several non-domain joined Linux servers running RHEL or CentOS, scores of devices that serve web consoles and a lot of network devices that need to be enrolled with certificates. I'd like to install all of the following on a third server (a "Registration Authority"):
I'd like to run CES/CEP with Windows Integrated Authentication and run all four services under a single, properly delegated domain service account.
In a test environment, I have only the following working:
I cannot get CES/CEP or NDES to work
So my opening question is: Can I even put all four of these on one server?
If the answer is "yes", then I need direction to discover what's failing... Is it service account delegation problems? Is it certificate template mis-configuration or issuance? Is it IIS mis-configurations?
I have done a lot of research on this subject and tried a lot of things, so if you have some ideas to direct me, I can provide logs and details of specific certificate, IIS, service principal name, etc. configurations.
Thanks,
Glenn
Continue reading...
I'm building a PKI system for a network. We will have an Stand-alone offline Root CA and Subordinate Issuing Enterprise CA. We have domain-joined Windows servers (all 2012) and workstations (Windows 10). We also have several non-domain joined Linux servers running RHEL or CentOS, scores of devices that serve web consoles and a lot of network devices that need to be enrolled with certificates. I'd like to install all of the following on a third server (a "Registration Authority"):
- Certificate Authority Web Enrollment (CAWE)
- Certificate Enrollment Web Service (CES)
- Certificate Enrollment Policy Web Service (CEP)
- Network Device Enrollment Service (NDES)
- house an http publication point for the CRLs and Certificates
I'd like to run CES/CEP with Windows Integrated Authentication and run all four services under a single, properly delegated domain service account.
In a test environment, I have only the following working:
- the Offline Root CA
- The Subordinate Issuing CA
- the http publication point for CRLs and Certificates
- CAWE
I cannot get CES/CEP or NDES to work
So my opening question is: Can I even put all four of these on one server?
If the answer is "yes", then I need direction to discover what's failing... Is it service account delegation problems? Is it certificate template mis-configuration or issuance? Is it IIS mis-configurations?
I have done a lot of research on this subject and tried a lot of things, so if you have some ideas to direct me, I can provide logs and details of specific certificate, IIS, service principal name, etc. configurations.
Thanks,
Glenn
Continue reading...