Certificate Enrollment Web Service/Policy Web Service research - cross-forest PKI certificate auto-enrollment

Bojan Zivkovic 321 Reputation points
2021-04-29T09:22:02.127+00:00

Hi, is it possible to use Certificate Enrollment Web Service/Policy Web Service to auto-enroll certificates to systems in forests without any trust with forest where 2-Tier PKI resides? If so how, for instance, servers/desktops/laptops will auto-enroll their certificates such as ConfigMgr client cert needed for HTTPS communication since typical auto-enrollment is AD/GPO "feature". What "initiates"/"triggers" certificate auto-enrollment on a machine?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,305 questions
No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Vadims Podāns 8,081 Reputation points Microsoft MVP
    2021-04-29T20:02:04.5+00:00

    The answer is No. Cross-forest certificate enrollment requires a two-way forest trust. No exceptions.

    No comments

  2. Vadims Podāns 8,081 Reputation points Microsoft MVP
    2021-04-29T20:02:04.547+00:00

    The answer is No. Cross-forest certificate enrollment requires a two-way forest trust. No exceptions.

    No comments

  3. Daisy Zhou 12,921 Reputation points Microsoft Employee
    2021-04-30T01:19:03.45+00:00

    Hello @Bojan Zivkovic ,

    Thank you for posting here.

    If there is no two-way forest trust, we can try to deploy cross-forest certificate enrollment in AD test lab according to the following article if needed.

    Starting with Windows Server 2008 R2, you can utilize Certificate Enrollment Web Services to provide certificates across forests that do not require forest trust relationships. For a lab demonstration of such a configuration using Windows Server® 2012, see the Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services.

    For more information, please refer to link below.
    Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
    https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    No comments

  4. Bojan Zivkovic 321 Reputation points
    2021-04-30T07:51:22.53+00:00

    I followed document above and could not find (if I did not miss) part where system in untrusted forest/non-domain joined got certificate via autoenrollment. I guess if those two GPO settings are configured:

    Certificate Services Client - Certificate Enrollment Policy
    Certificate Services Client -Auto-Enrollment

    system in untrusted forest/non-domain joined will get certificates automatically at next GPO refresh - but, what also is not covered is how to allow certificate auto-enrollment of specific template in terms of permissions (to which security principals read/enroll/auto-enroll permissions should be assigned).

    I definitely do not want to go to each client/server in any untrusted forest and enroll certificates manually, for instance ConfigMgr client certificate, it should be auto-enrolled but here as I said I do not see auto-enrollment in action - everything is manual. Every document I found had some holes and this one is no exception.


  5. Bojan Zivkovic 321 Reputation points
    2021-05-09T11:43:12.603+00:00

    I just would like to get 100% trustworthy information on this - if auto-enrollment of certificates to systems in untrusted forests is doable using CEP/CES or not. If answer is no then will tell my manager that only option is establishing two-way trust between forests with selective authentication if InfoSec won't allow forest-wide authentication. In that design I do not see a place for CEP/CES. Difference between auto-enrollment and enrollment of certificates is huge, particularly in untrusted forests with hundreds or thousands of systems.

    No comments