A quick bit of memory Refresh regarding Certificate Template best practice:
- Do not change any of the default certificate used but create copies with a company prefix. These are easy to fine from the Corporate repository
- Only issue Certificate the you need
- Control Access requests (I like to use Security Groups to control what server/users can request certs.)
I’m starting this from the point where an administrator requests a certificate and send you the request.
When you receive a Certificate Request,vfirst check the template requested. This can be done with the following command:
|
1 |
certutil <filename.REQ> |
there will be a page or two of information and somewhere in that information there should be a line of information
|
1 2 |
Certificate Template Name (Certificate Type) myC-WebServer |
We need to ensure this matches there template names that the CA issues. If it is the standard WebServer… either they haven’t requested the right cert… or the CA is issuing the standard Template.
Next we issue the request to the Certificate Authority. we need to add the CertificateTemplate to the request that we are making. This is done by adding an attribute as below then submitting the filename:
|
1 |
certreq -attrib "CertificateTemplate:MyC-WebServer" -submit <filename.REQ> |
|
1 2 3 4 5 6 |
Active Directory Enrollment Policy {0B94AA91-153F-4C9B-BDF2-DCD362782668} ldap: RequestId: 573 RequestId: "573" Certificate request is pending: Taken Under Submission (0) |
Here you must remember the requestID, the requestId is used to complete the certificate request and
next approve the request in the Certificate Authority Console
|
1 |
certreq.exe -retrieve 573 <filename.crt> |