Manualshelf

Deployment Guide

ManualsBrandsDell ManualsConverged InfrastructureEncryption
12345678910
Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication 5
Domain Controller Certificates
Enrollment for a Domain Controller Certificate
To initiate the process of obtaining a suitable certificate, a system administrator on the domain controller system should
do the following:
1
Generate an “offline” domain controller certificate request following the instructions on the Microsoft Technet website:
http://technet.microsoft.com/en-us/library/cc783835%28WS.10%29.aspx
2
Open a browser and go to the
Upload Certificate Request
page of the CertAgent public site and submit the request file
(typically named <dcname>-req) to an appropriate CA.
3
Once your request has been accepted, make a note of the
request ID
generated by the CertAgent system to aid in the
certificate retrieval process (described below).
Issuing a Domain Controller Certificate
The CertAgent CA to whose account the request has been submitted should follow these steps in issuing the domain
controller certificate:
1
Login to the appropriate CertAgent CA account; this is the account that you will be using to issue the domain controller
certificate.
2
Open the pending certificate request list and click the request you wish to process. This will open the advanced options
dialog.
3
If you already know the globally unique identifier (GUID) of the domain controller for which the certificate will be
issued, skip to the next step. Otherwise, you can determine the required GUID as follows:
•click
Export
and
save the certificate request to a file
open a Command Prompt and run the following command:
certutil -dump <request file>
the required domain controller GUID may be found in the output of this command as the value associated with the
OID 1.3.6.1.4.1.311.25.1 as shown below:
copy the entire domain controller GUID to the clipboard and return to CertAgent
4
Select
Issue certificate with customized settings
from the
Action
drop-down list.
5
Customize the included extensions as described here (if they are not already specified in the active CA’s default
certificate profile settings):
under CRL Distribution Point, enter a valid CRL distribution point URL.
Subject Alternative Name
Other Name:
1.3.6.1.4.1.311.25.1=
0410 6661 6135 3636 3234 3831 6263 3866 6662