G'day
I've been encountering a situation where a single-site AD would require having 2 CAs (more likely 1 Root + 2 Sub-CA) so that I can issue certificates for 802.1x authentication for groups of machines that are on 1 site / security zone wherease other machines should enroll certificates from the other CA. This ways the RADIUS server cann validate the client cert and check if the client connects to an appropriate 802.11 SSID.
I hope(d) to use autoenrollment via GPO while the clients are provisioned the first time (over wired network).
I've done some research and did want to set up a GPO where computers in the 1 OU would get a cert via autoenrollment from one CA and if they are in the other OU, they have another GPO telling them to also do autoenrollment but get a cert from the other CA.
Now I didn't find a way to either
- Tell via GPO that they should enrollm to a specific CA
- Or: Have a custom computer cert template that is enabled/services by only one of the 2 CAs - and I was looking to set/force the cert template in the GPO for the computers.
Telling via gpo a machine to just get a certificate does work, but I am looking to tell a machine "you're a Type X machine, get a cert from CA x / specific cert type x".