In my previous post on this subject, I neglected to mention the following configuration change required in order to support a Health Request Agent (for Network Access Protection on Windows Server 2008) with an Enterprise Certificate Authority:

On the health certificate template, you must allow the enrollment client to specify the subject name. Normally, the subject name is obtained by the CA implicitly from the security context of the caller (e.g. the name of a remote machine). But in this case, the caller is the HRA service, enrolling on behalf of some other machine.

What happens if you don’t allow the subject name to be supplied in the request? All of your health certificates will be issued to the machine name hosting the HRA. That doesn’t do the actual client machine much good (assuming the cert is being used in the context of an application that does name checking).

How to allow the subject name to be supplied in the request? Open the certificate manager snap-in for the Enterprise CA, right-click on Certificate Templates, and select Manage. Find the health cert template, right-click, and select Properties. Click on the Subject Name tab and select “Supply in the request”.

You’ll may get a warning at that point, and for good reason. Allowing a free-form subject name means that anyone with enrollment rights for that template can obtain a cert in anyone’s (or anything’s) name. The CEO’s computer, for example. Thus, you need to ensure that those rights are granted to as limited a group as possible.

No Comments »