HTTP Enrollment in Windows
Just read a new Technet article detailing some of the new PKI features in Windows 7 and Windows 2008. Some overall interesting stuff there, but what I really hadn’t seen before is support for HTTP Enrollment for PKI certificates.
One of the challenges of any PKI is re-enrollment of entities. So, for example, a new laptop is provisioned and given to a user. During provisioning, a device certificate is installed onto the machine (either via auto-enrollment or manually installed). However, once that laptop leaves the IT department, the goal is to do as less “touch” as possible in the future.
In an environment where all of the machines are on the same domain and PKI is managed in-house, enrollment is a cinch. However, more and more PKI is an out-sourced service. PKI can be difficult (although to be honest sometimes that is over-emphasized). If I can pay someone to manage it for me, it is probably more secure to let the experts actually manage it. BUT, if it is outsourced, how do I allow my machine to get certificates? In the MS PKI world, I may have to create a forest trust so that my machines can enroll and then re-enroll.
The addition of HTTP Enrollment allows enrollment requests to be performed over HTTP/S. So, there is less of a need for forest relationships and more of an ability to out-source PKI. It actually makes the Microsoft CA a much more attractive option.
All this being said, I expect that HTTP Enrollment will only work with Windows 7? If that is the case, it will take some time for the impact of this new technology.
UPDATE: From doing some more digging, this capability will only work with Windows 7. BUMMER.
Recent Comments