Any Enterprise IT peeps on here

BaronSmoggie

Well-known member
As this site seems to be a font of knowledge, thought I'd ask if anyone here in enterprise IT has ever worked with internal PKI's ? Looking to bounce an idea around and need a sounding board.
 
I built ours 3 years ago, it works fine, we have the auto enrollment configured. My specific question is have you ever worked on cross forest enrollment using the web enrollment service. I think I'm going to have to go this way and I've not done it into an existing PKI before.
 
I haven't, we run domain trusts though and it seems to work fine across that with certs being trusted etc.
 
OK thanks, I don't use LDAP for the CRL or AIA and I'd rather be able to uncouple it easy in the future. I've found an MS article talking about it using 2012R2, so I'll try and build the design off that.

Cheers for replying.
 
I wouldn't build anything on 2012r2. The oldest server OS I'd consider building something new with is 2019.
 
What type of data are you wanting to protect? or is it for users? devices? what? ... I've got around 10 years of IT experience
 
I have an MECM setup for HTTPS comms for clients. A second AD forest was previously managed by the same MECM, but since the switch to HTTPS, they've stopped communicating because they can't auto enroll the necessary certificate to authenticate to the management point. To get it working, I want to use the new certificate web enrollment service for auto silent enrollment, question I am asking is if anyone has done it and can offer guidance.
 
Figured it out, built a second PKI to handle just that domain and deployed the first domain root cert via group policy. PITA, but done now :)
 
Back
Top