How to issue a windows machine cert for a non-domain joined computer?

by user355031   Last Updated May 15, 2019 17:00 PM - source

I have a Windows Server 2012 AD/CA and domain joined computers automatically receive the CA public cert and also get a computer certificate generated and pushed using GPO auto-enrollment. All of this is used for 802.1X and works fine.

Now I need to generate a certificate for a non-domain joined win10 computer, so that it can also authenticate via 802.1X.

This is proving quite difficult. I've come across this post that describes two ways to accomplish this:

option 1

Export the certificate from a domain joined computer. I've tested and this works, but as explained in that post the drawback is that all the non-domain joined computers will share the same certificate.

option 2 (preferred)

  1. Create an account in AD
  2. Issue a certificate from a template that allows the private key to be exported
  3. Using name mappings, attach the certificate to the account
  4. Create an SPN that matches the SAN on the certificate..i.e. if the SAN is, you need to create a SPN on the account host/
  5. Install certificate on to target workstation/device

This follow-up comment seems to suggest that the five steps above can be reduced to the following:

  1. Create computer AD account
  2. Issue a computer certificate for the non-domain computer adding SAN:UPN=<hostname>[email protected]<domain.tld>
  3. Install computer certificate on client

You can make the hard option a little easier and reduce a couple of the steps by using a SAN entry in the certificate with a format of SAN:UPN=<hostname>[email protected]<domain.tld>. This results in a certificate that has an NT Principle Name of <hostname>[email protected]<domain.tld> in the SAN field which is then appropriate for authentication to the NPS as a pure computer object. The only dependency is then the creation of a computer account in Active Directory and adding it to the respective groups for AuthZ.

I’ve created a Computer AD account with the hostname win10test but I don’t understand how to generate the certificate and how to add the SAN:UPN=<hostname>[email protected]<domain.tld> to the certificate.

Do I need to create a CSR on the non-domain computer?

Can someone please elaborate on the instructions from the MS forum post. Thank you.

Related Questions