I have a Windows Server 2012 AD/CA and domain joined computers automatically receive the CA public cert and also get a computer certificate generated and pushed using GPO auto-enrollment. All of this is used for 802.1X and works fine.
Now I need to generate a certificate for a non-domain joined win10 computer, so that it can also authenticate via 802.1X.
This is proving quite difficult. I've come across this post that describes two ways to accomplish this:
Export the certificate from a domain joined computer. I've tested and this works, but as explained in that post the drawback is that all the non-domain joined computers will share the same certificate.
This follow-up comment seems to suggest that the five steps above can be reduced to the following:
You can make the hard option a little easier and reduce a couple of the steps by using a SAN entry in the certificate with a format of
SAN:UPN=<hostname>[email protected]<domain.tld>. This results in a certificate that has an NT Principle Name of
<hostname>[email protected]<domain.tld>in the SAN field which is then appropriate for authentication to the NPS as a pure computer object. The only dependency is then the creation of a computer account in Active Directory and adding it to the respective groups for AuthZ.
I’ve created a
Computer AD account with the hostname
win10test but I don’t understand how to generate the certificate and how to add the
SAN:UPN=<hostname>[email protected]<domain.tld> to the certificate.
Do I need to create a CSR on the non-domain computer?
Can someone please elaborate on the instructions from the MS forum post. Thank you.