Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » how to distribute/trust a certificate throughout the whole domain
how to distribute/trust a certificate throughout the whole domain [message #155534] Mon, 01 June 2009 16:37 Go to next message
Doug P  is currently offline Doug P
Messages: 1
Registered: June 2009
Junior Member
Running Server 2003 SP2 and XP Pro SP3

I have installed the certificate authority on my domain controller.
I have generated a code signing certificate.
I have used this certificate to sign a Word .dot file in order to trust the
macros within it.

When users open the .dot file, they get a security prompt regarding macros.
Some users can click the 'Always trust macros from this publisher' and then
they can enable the macros. For other users this option is greyed out. This
doesn't appear to be a permissions thing because I was able to choose always
trust on one computer with a non-admin user and I can not choose always trust
on another computer even with an admin user.

If possible, I would like to use group policy or something to enable this
certificate or CA to be trusted by every computer in the domain but I haven't
been able to find how to do this.
Re: how to distribute/trust a certificate throughout the whole domain [message #155542 is a reply to message #155534] Mon, 01 June 2009 20:28 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Doug P" <DougP@discussions.microsoft.com> wrote in message news:BDAD19B7-003E-4DB4-990D-13EE8785BEC8@microsoft.com...
> Running Server 2003 SP2 and XP Pro SP3
>
> I have installed the certificate authority on my domain controller.
> I have generated a code signing certificate.
> I have used this certificate to sign a Word .dot file in order to trust the
> macros within it.
>
> When users open the .dot file, they get a security prompt regarding macros.
> Some users can click the 'Always trust macros from this publisher' and then
> they can enable the macros. For other users this option is greyed out. This
> doesn't appear to be a permissions thing because I was able to choose always
> trust on one computer with a non-admin user and I can not choose always trust
> on another computer even with an admin user.
>
> If possible, I would like to use group policy or something to enable this
> certificate or CA to be trusted by every computer in the domain but I haven't
> been able to find how to do this.
>


This is best posted in the microsoft.public.windows.server.security and microsoft.public.security.crypto newsgroups.

Just a heads up, the CA must be the Enterprise version of Windows in order to have a V2 template that you can create a cert for autoenrollment. Then you would configure a GPO for it. The following are some links to read up on with how to do it. Maybe the folks in the other groups can offer more specifics. FYI, make sure you test it on in a lab or on a test machine before rolling out the cert to everyone, or it will be more work removing the certs if it's not what you are looking for.

Here are some articles on how to set up Microsoft CA's and deploy certificates to users.

Best Practices for Implementing a Microsoft Windows Server2003 Public Key Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx

Implementing and Administering Certificate Templates in Windows Server 2003
http://technet.microsoft.com/en-us/library/cc783016.aspx

PKI Enhancements in Windows XP Professional and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx

Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx

Managing a Windows Server 2003 Public Key Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx

Advanced Certificate Enrollment and Management (need Windows Enterprise edition to make autoenrollment work):
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx

Certificate Autoenrollment in Windows Server 2003 (need Windows Enterprise edition to make autoenrollment work):
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/autoenro.mspx

Selecting Certificate Templates Public Key (need Windows Enterprise edition to make autoenrollment work):
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/library/DepKit/c71d2cd3-82ef-4e3c-8746-1340d0ef4e9a.mspx

Configure a certificate template for client autoenrollment (need Windows Enterprise edition to make autoenrollment work):
http://technet2.microsoft.com/WindowsServer/en/Library/47f1c 981-7c04-48b0-a697-56db5ba00a8e1033.mspx

Certificate Services Operations Guide- Certificate Services Operations:
http://www.microsoft.com/technet/itsolutions/wssra/raguide/C ertificateServices/CrtSevcOG_2.mspx


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay
Previous Topic:Problems with W2K3 Standard DC - Replication and DNS
Next Topic:Sonicwall SSLVPN, Active Directory, password changes & LDAP / TLS ?
Goto Forum:
  


Current Time: Sun Sep 24 15:31:43 EDT 2017

Total time taken to generate the page: 0.03108 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software