- CERTIFICATE ASSISTANT FOR MAC HOW TO
- CERTIFICATE ASSISTANT FOR MAC MANUAL
- CERTIFICATE ASSISTANT FOR MAC PROFESSIONAL
CERTIFICATE ASSISTANT FOR MAC MANUAL
The following one-time-only modifications are required on the Microsoft Standalone CA to enable manual modification of various certificate extension attributes. I would like to point out that I am neither an Apple nor a Microsoft engineer, but a Network Engineer by trade -) Anyone please feel free to comment or point out how this could be achieved more simply/cleanly/'just plain better'. These notes do not cover the implimentation of a Microsoft based PKI nor do they address the important considerations which one must take when doing so, so as to avoid common PKI mistakes (which can cause you a really, really big headache in a few years time(!))
This documentation assumes you are working on a fully-patched out-of-the-box client and Windows 2003 R2 Enterprise Edition CA configuration (as of 1st September 2009).
CERTIFICATE ASSISTANT FOR MAC HOW TO
In short, these instructions demonstrate how to enroll and configure machine certificates for an Apple Mac client (tested with 10.5.8 +) and a Microsoft stand-alone CA environment. Our environment consists of a Microsoft PKI Root CA with 3x Enterprise subordinates (automatic issuing of computer certificates to Windows clients) and now 2x new stand-alone subordinate CA's to handle non-domain integrated clients (i.e. the client side CSR generation isn't pretty, but it works - and its easy for all IT staff to work with. It was a real headache to break the back of it, however I can provide you with these notes which should help you. no PEAP tunnel) for these devices - its a risk we're willing to take. Due to compatibility restrictions on the Mac client side, we have had to resort to the less preferable EAP-TLS (i.e.
CERTIFICATE ASSISTANT FOR MAC PROFESSIONAL
It was desired that we treat them in the same manor as our existing much larger Windows XP Professional client base - that being with PEAP-TLS, 802.1x machine certificate authentication. We have a large userbase of corporate Mac's (OS X 10.5.8 +) which required access to our 'Trusted Devices' WPA2-Enterprise wireless network. I think this is a non issue now.įunnily enough, I tackled this issue only last week. Will the MACs be able to automatically renew the certificate when they are getting close to expiring? So I'm going through Tom's procedure and I'm wondering.Īre the 5 certutil command line entries (prior to step 1a.) needed, and if so, what impact might they have on certificates that might be requested/issued in the future? (This was based on a Microsoft technician's response to "why isn't my Computer template showing up in the drop down list on CertSrv".) I copy the Computer template, name it MacComputer, and configure it to get attributes from the request.
In order to get a "Computer" certificate to show up on the Web page (CertSrv), we need to disable getting the attributes from AD and enable supply the attributes in the request (on the certificate template). Domain member computers will be able to get attributes directly from Active Directory (AD) and everything will (and does - we've tested it) work fine. So, based on Tom's process, we're going to make a copy of the Computer template, call it something like WindowsComputer for issuing (autoenrollment) to PCs. Non Domain member machines without a "computer" certificate (like personal laptops) will only be allowed Internet access. Cisco ACS will be used to control which wireless clients get access to our intranet (those with a "computer" certificate) issued by our 2008 R2 Enterprise CA. We're looking at the same scenario as Tom.
0 kommentar(er)
