|
Posted by =?Utf-8?B?S2V5TWFzdGVy?= on April 30, 2007, 11:38 am
If you were Registered and logged in, you could reply and use other advanced thread options
would be the options there? Is there a website where they could download this
from?
Let's say I assign a cert to a web server that is accessible from the
outside using certs from my internal cert server. When browsing the website
from our domain the certification path is good, but when browsed from a
customer they get all the certificate errors. What certs would they need, the
issuing CA and the root CA cert's or just the root?
"Brian Komar" wrote:
> On Sun, 29 Apr 2007 10:50:01 -0700, KeyMaster wrote:
>
> > What are the options for for deploying root and int ca certs to clients that
> > are not part of your domain?
> >
> > For the clients that are part of the domain, do the root and int ca certs
> > automatically get deployed once you setup the certificate services
> > infrastructure?
> >
> > Thanks in advance
>
> If certificates are not part of the domain, you must come up with either a
> manual or scripted method to deploy the root and intermediate certificates.
> If certutil is deployed at the client, you can use certutil -addstore (if
> you run as local administrator)
>
> Root certificate: certutil -addstore -f Root [certfile.crt]
> Intermediate cert: certutil -addstore -f CA [certfile.crt]
>
> You can also use capicom scripting to do this. A sample of this code is
> included in my PKI book (ctool.vbs).
>
> For forest members, the easiest way to deploy offline CA certificates is to
> publish them to Active Directory:
>
> Root certificate: certutil -dspublish -f [certfile.crt] RootCA
> Intermediate cert: certutil -dspublish -f [certfile.crt] SubCA
>
> You do not have to perform this step for online CAs, as they will publish
> their information to AD automatically if they are domain or forest members.
>
> Brian
>
| 
XML site map