I've configured ADCS to install user and computer certificates via GPO.
With those certs I can do EAP-TLS authentication from the machines to a Clearpass RADIUS server. This is a good thing.
But I'm trying to have users download user certificates for non-domain computers from http:///certsrv.
They can download a cert, but it doesn't get placed in the 'Personal' certificate store on the client machine, but in the 'Active Directory User Object' store. EAP-TLS authentication fails. Upon further examination, it appears that the certificate does not have the private key downloaded with it. The certificates installed via GPO do have the private key. Without the private key on the computer, EAP-TLS will always fail.
How do I get ADCS to allow the private key to be downloaded via the web interface? The 'User' certificate template has the box checked to allow this. I even created a new certificate template, and ensured that the option to allow private key downloading was enabled.
Ideas?
Thank you!
Best Answer
With ADCS Web Enrollment, with non-domain-joined machines, you need to create the certificate request manually, either with certreq.exe (included with Windows) or OpenSSL.
When you create the certificate request with certreq.exe, the private key is created on the client machine and is stored locally on the client machine. The CA never has your private key. (Enterprise CA Key Archival being out of scope here.) The CA just signs your certificate request. When you then take the signed certificate request back to your client and import it, it is then "married" at that time to the private key.
This is all manual. The automation is a benefit of Active Directory domain-managed clients and Enterprise PKI. But you specified non-domain-joined.
(PS, I guess you could write a script to automate the certreq and certutil commands required but I don't have this script handy. Maybe something like this.)
Edit: Final note, you might want to try configuring Key Archival on your CA, then setting RequestType = CMC and PrivateKeyArchive = True in your certificate request, I honestly don't know if that will work from a non-domain-joined machine, but in theory it could, because you could securely transmit your private key from the client to the CA using the CA's cert. (Although you could argue that it is in principle insecure to have the private key stored in more than one location.)
But I've never tested it and I can't find it documented.
(Not that you need Key Archival to implement the basic certreq procedure I described above; I've done that part a hundred times and I know that works.)