Posts on this page:
Hello, PowerShell Crypto Guy is here again. A time ago I went through one article: http://www.solution-soft.com/whitepapers/Hyper-V/TimeMachine_Hyper-V_guide.htm which is pretty interesting. However it complains that a related TechNet article Configuring Certificates for Virtual Machine Connection won't work due of the following limitations:
Fortunately both statements are not correct:
Windows PKI team always knows how to make our live harder :). Yesterday Shay Levy pointed me to one interesting thread: http://www.powergui.org/thread.jspa?messageID=47514
Basic intro: this attribute is used by Credential Roaming Service. By default if user uses roaming profile, credentials (and personal certificates) don’t roam! This means that user can use the same profile on other computers, but will not able to use certificates (i.e. decrypt files, mails, sign documents and so on). Though if certificate autoenrollment is enabled, user will enroll new certificates. But they will remain on that computer only. The one possible way to work around this issue is to use smart cards. But this is quite expensive solution. With Credential Roaming Service all certificates will roam with user. However this is not pretty secure solution, because domain administrators will have an access to user private keys. However at certain point domain users must trust administrators, so this solution is enough for many scenarios with roaming profiles.
Continuing my previous post I want to discuss about certificate installation. As you know, certificate erollment generally consist of several steps:
In previous post I have demonstrated how certificate request can be created using native PowerShell capabilities. While CA server cannot be contacted directly from managed client, you will have to manually transfer and submit certificate to Certification Authority.
When you create Certificate Request, it is placed in Certificate Enrollment Requests container (in Certificates snap-in). This request waits for signed certificate public part. When certificate public part is signed by external authority, signed certificate must be installed to local store. Installation process consist of two steps:
I would like to demonstrate a quite pretty script that simplifies certificate request generation for OpsMgr managed clients. Recently we had have to use various complex (for administrators that are not familiar with digital certificates) methods, such:
Both methods require some additional steps to generate request. For example, if you use CertReq.exe utility you need to write enough complex certificate enrollment configuration file. If you use Certificates snap-in you will need to manually specify all necesary data (such subject, private key settings, certificate extensions, etc). This PowerShell script will do all stuff, so you will have to copy and paste script to PowerShell console and run it.