Request Computer Certificate from Certificate Authority

Introduction: Microsoft PKI infrastructure can be scaled to support Users , Workstations, Devices and

Applications. With the constant demand of more secure communication Microsoft PKI enforce strong

security with the help of certificates and key logic. This article explains the behavior of Standard Users vs

Administrator requesting a Certificate.

Infrastructure: The below steps are performed on Single Active Directory Site installed on Windows

Server 2008 R2 with Forest Functional Level and Domain Functional Level set to Windows Server 2008

R2 respectively. The server is configured with Certificate Authority , you read it correct ! , both the

Domain Controller role and Certificate Authority roles are configured on same server.

Rational: There are different situations when customer provides with few Physical / Virtual server and

build the solution for development / Testing environments. Administrator / Consultant who is deploying

the solution should raise the risks and understand the impact of installing both the roles on same server.

Risks: The CA cannot be configured as offline. CA should not be configured for Internet facing clients.

Architectural Diagram:

Active Directory Infrastructure

PKI Infrastructure

Switch

Router

Windows 8 Clients

Test Case Scenarios

Scenario 1: Requesting Machine Level Certificate with Standard User account without

Administrator privileges. Standard User is a part of Active Directory Domain

Steps:

Step1: Click Start Run MMC and press enter

Step2: Select Certificates and Click Add

Step3:

In the above scenario User cannot request Machine Certificate and Standard User can only

request User Certificate

Scenario 2: Requesting Machine Level Certificate with Standard User account with

Administrator privileges. Standard User is a part of Active Directory Domain

Note: Modifying machine level membership changes requires the computer to get restarted

Steps

Step1: Click Start Run MMC and press enter

Step2: Select Certificates and Click Add

Step3: When you click Add, following options are displayed

Step4: Administrator / Super User can select Computer Account on Local computer or he can

select remote computer for accessing certificates

From the above scenario, Standard User with Administrator privileges is able to add the

computer certificate successfully.

Scenario 3: Requesting Machine Level Certificate with Standard User account with PowerUser

privileges. Standard User is a part of Active Directory Domain

Results is same as Scenario 1, where Standard User with PowerUser privileges cannot request

for Machine Level Certificates.