2nd October 2016, 12:46 #1
Enrolling for computer certificates On Behalf of...
Greetings to the Wizards,
I hope someone can help me with my problem or point me in the right direction:
we have a security system (authenticator) enforcing 802.1X restriction on wireless access. The authenticator uses our domain controllers / Active Directory as authentication servers. For credentials a digital certificate is used and the authenticator compares the certificate shown by the supplicant (e.g. a notebook) with the certificate stored in AD for the entity in a field (SAN, ...whatever... - configurable) of the supplicant's certificate.
While duplicating and using the Workstation Authentication template and setting it up for auto enrollment succeeded for Windows based domain members, I stumbled over finding the right process for Linux based computers.
These Linux computers need to have an computer account in AD, if we like to handle them the same way (same policies on the authenticator) as the Windows machines. OK, this could be achieved by using PowerShell's New-ADComputer.
But now those Linux clients need a certificate and need this stored in their own computer account object. Two requirements for this:
a) the Linux computer can't create the certificate request (and hence the private key) itself - just take it as it is, because it's a special thing for our deployed Linux System; of course one can import private key and certificate on the Linux computer for use in 802.1X authentication
b) the process should be streamlined to prevent as much work as possible on the CA admins / agents shoulders ;-))
First I thought of this as a perfect scenario for an Enrollment Agent, because we already have Enrollment agents in place for assigning code signature software certificates to IT staff, for we have an AD (Linux computer) account, the requestors data (Linux computer name) could be taken from AD and storing the certificate with the AD object is just a template setting. But then the headaches began:
I can't access a duplicated Workstation Authentication template from a user account with an Enrollment Agent (User) certificate. But I can't enroll for an Enrollment Agent (Computer) certificate as a user either. I could do it as a computer (e.g. the CA server itself), but I won't get "Enroll on behalf of..." if I open mmc with certificate snap-in for Local Computer on the CA.
Yes, it could be done with a CSR, where the Enrollment agent has to manually fill in the computer name, etc. But it seems so right to think of it as an Enrollment agent process - alas, how to set it up?