Share via

Can Windows PKI, generate certificate for different domain level

RT-7199 511 Reputation points
2023-03-03T22:47:01.8366667+00:00

We have an internal windows PKI and we are able to generate certificates for abc.xyz.com which is also our AD domain. For some reason they did not create a AD domain xyz.com.

But we do have our internal websites which use the name xyz.com

Can we generate xyz.com certificate with our current PKI.

What would be the steps i need to follow to make it happen.

Thanks

Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,766 Reputation points
    2023-03-07T08:36:07.87+00:00

    Hello there,

    Windows Server 2008 R2 allows enterprises to issue digital certificates from an enterprise Certification Authority (CA) to the clients that are members of a different Active Directory (AD) forest. This process is called cross-forest certificate enrollment.

    Cross-forest Certificate Enrollment https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/cross-forest-certificate-enrollment-with-windows-server-2008-r2/ba-p/1128463

    To request certificates from another forest without trust, we can try to deploy cross-forest certificate enrollment in AD test lab according to the following article.

    Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services

    https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments
  2. RT-7199 511 Reputation points
    2023-03-08T18:00:58.3433333+00:00

    @Limitless Technology While your answers seems correct for 2 separate AD domains. My question was more intended for issuing a server certificate to be used on our webserver, which I did not make it clear.

    So if I create a CSR with common name and SAN's as abc.com or even random-domain.com. I tested and I was able to use that CSR to get a certificate from our PKI and I am even able to use that certificate on a webserver and add our internal root CA to Azure application gateway backend settings to do health checks on the proxied server.

    No complains by browsers since our internal root certificate is installed on all systems, if we try to access webserver directly.

    Nor does Azure application gateway complain of it and website is publicly accessible with the actual public cert on Gateways front end. We even can do decryption of traffic on our firewalls with that cert.

    Does this make sense.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.