Enroll on behalf of problem

TonyB 1 Reputation point
2020-10-02T10:00:52.013+00:00

Like many, we have staff working from home now using a VPN to connect back to site. This VPN is secured using credentials and user certificates. The issue is that when these user certificates expire, there's no way for the staff member to request a new one without coming back to site to connect to the internal network. So, I'm looking at using the Enrollment Agent so we can request a cert on their behalf and send it to them securely.

I've setup the enrollment agent template, and the 'enroll on behalf of' template I want to use, and I can initiate the request on behalf of another user using the mmc snapin, but in our case, we need to include a specific subject alternate name in the cert which the VPN auth needs. Whatever I try though, I can't seem to work out if I can include this SAN in the cert template or not - I've tried numerous things on the Subject Name tab in the cert template without success. The SAN needs to be a DNS FQDN, and it's the same for every VPN cert issued. When we do this in the office, we just use the CA Web UI, request a user cert, then add the relevant SAN in the Attributes field - works perfectly. If I try and select the VPN template from the Web UI I don't see the Attributes section, and the cert always says 'this will be saved and not submitted'.

Am I missing something here, or isn't it possible? I don't care if I have to use mmc or the web UI, but it would be good to know if it should work or not with the SAN we need.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,681 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vadims Podāns 8,856 Reputation points MVP
    2020-10-02T15:33:39.54+00:00

    If you supply subject in request during ROBO process, then you don't need ROBO at all. Just use normal enrollment, supply subject and get cert in personal store. Then export it to PFX, delete private key material and send the securely to target user. You overcomplicated the process.

    0 comments No comments