I have a Windows Server 2012 AD/CA and domain joined computers automatically receive the CA public cert and also get a computer certificate generated and pushed using GPO auto-enrollment. All of this is used for 802.1X and works fine.

Now I need to generate a certificate for a non-domain joined win10 computer, so that it can also authenticate via 802.1X.

This is proving quite difficult. I've come across this post that describes two ways to accomplish this:

option 1

Export the certificate from a domain joined computer. I've tested and this works, but as explained in that post the drawback is that all the non-domain joined computers will share the same certificate.

option 2 (preferred)

1. Create an account in AD
2. Issue a certificate from a template that allows the private key to be exported
3. Using name mappings, attach the certificate to the account
4. Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com
5. Install certificate on to target workstation/device

This follow-up comment seems to suggest that the five steps above can be reduced to the following:

1. Create computer AD account
2. Issue a computer certificate for the non-domain computer adding SAN:UPN=<hostname>$@<domain.tld>
3. Install computer certificate on client

You can make the hard option a little easier and reduce a couple of the steps by using a SAN entry in the certificate with a format of SAN:UPN=<hostname>$@<domain.tld>. This results in a certificate that has an NT Principle Name of <hostname>$@<domain.tld> in the SAN field which is then appropriate for authentication to the NPS as a pure computer object. The only dependency is then the creation of a computer account in Active Directory and adding it to the respective groups for AuthZ.

I’ve created a Computer AD account with the hostname win10test but I don’t understand how to generate the certificate and how to add the SAN:UPN=<hostname>$@<domain.tld> to the certificate.

Do I need to create a CSR on the non-domain computer?

Can someone please elaborate on the instructions from the MS forum post. Thank you.

UPDATE

I created a csr request.inf that looks like this:

[NewRequest]
Subject="CN=win10test"
KeyLength=2048
KeySpec=1
MachineKeySet=TRUE
SMIME = FALSE

[RequestAttributes]
CertificateTemplate="NonDomainWorkstations"
SAN="upn=win10test@test.local"

I then copied it to the CA and submitted the request.
The cert for win10test was issued but it doesn’t contain the SAN field. I don’t understand why.

UPDATE 2

New CSR request with correct SAN attribute as Crypt32 pointed out.

[NewRequest]
Subject="CN=win10test"
KeyLength=2048
KeySpec=1
MachineKeySet=TRUE
SMIME = FALSE

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "upn=win10test@test.local"

[RequestAttributes]
CertificateTemplate="NonDomainWorkstations"

The issue that remains is that the cert above does not seem to associate with the win10test AD computer account.

UPDATE 3

1. Created AD computer account win10test
2. Modified dNSHostname to win10test.test.local
3. Creat CSR on win10test using the following request.inf:

[NewRequest]
Subject="CN=win10test"
KeyLength=2048
KeySpec=1
MachineKeySet=TRUE
SMIME = FALSE

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=win10test.test.local"

[RequestAttributes]
CertificateTemplate="NonDomainWorkstations"

4. Run certreq -new request.inf win10test.req on win10test
5. Copy win10test.req to CA server and submit request
6. Copy win10test.cer to win10test and install to local machine.

Can’t 802.1x auth. Get the following error in NPS:

Event 6273
host/win10test.test.local
TEST
TEST\host/win10test.test.local

The specified user account does not exist.