Jump to content


Okie

CertEnroll permissions question

Recommended Posts

First of all, thank you for such a great guide. I do have a question though, is the CertEnroll directory available over the internet? So my certs are able to be downloaded by anyone? Sorry if this is a dumb question, I am just trying to learn this. 

 

Thank you

Share this post


Link to post
Share on other sites

it's a good question, and i'd recommend you read this guide (from Microsoft) which goes into details about that

https://social.technet.microsoft.com/wiki/contents/articles/485.how-to-publish-the-crl-on-a-separate-web-server.aspx

 

Quote

 

In these Internet scenarios, it makes sense to publish a CRL that can be accessed over HTTP with an Internet FQDN.  If you already have a Web server in the DMZ that is configured for HTTP, it makes an ideal candidate because you just need to add an additional virtual directory - there's no need to add a host entry into your public DNS, or install and harden a new server to run IIS.  However, think twice about using a server running Internet-based site system roles because (with the exception of the fallback status point), these use HTTPS to help secure the server from unauthenticated access.  Certificate revocation lists cannot be accessed over HTTPS so to add HTTP access to one of your Internet-based site system servers would greatly increase the risk of an attacker connecting to this server.

Disclaimer:  The procedures in this blog post are external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation.  However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product. We would also like to pay tribute to the help and information provided by Amer Kamal and Mark Cooper, senior Premier Field Engineers who have designed and implemented CDPs for our customers.

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...