How to Publish Certificates to the Active Directory from a Standalone Certification Authority

ID: Q246572

The information in this article applies to:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Server

SUMMARY

A Web server that hosts the certification authority certificate enrollment Web pages must be configured for domain authentication, and the certificate request must include an attribute specifying the user certificate template. This article describes how to publish certificates to the Active Directory from a standalone certification authority.

MORE INFORMATION

Server Configuration

After installing a standalone certification authority with Directory Services write access, you must perform the following steps to be able to publish certificates to the Directory Service:

On the certification authority, run the following command:
certutil -setreg exit\PublishCertFlags EXITPUB_ACTIVEDIRECTORY

On the certification authority, use the Internet Services Manager MMC snap-in to configure the CertSrv Virtual Directory to require domain authentication.
1. Right-click the CertSrv virtual directory, click Properties, and then click the Directory Security tab.
2. On the Anonymous access and authentication control, click Edit.
3. Click to clear the Anonymous access check box.
4. Click to select the Basic Authentication and Integrated Windows authentication check box.

Certificate Enrollment

Whenever a user wants to enroll for a certificate that should be published to Active Directory, the user must use the certification authority Advanced Certificate Requests feature to submit a request to the certification authority using a form. The user must also type CertificateTemplate:User in the Attributes control on the page under Additional Options prior to submitting the request.

Additional query words:

Keywords : kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto