Moved question from http://social.technet.microsoft.com/Forums/windowsserver/en-US/05fc859d-de23-44cb-9e10-7f70d95193d9/enroll-an-external-certificate-at-the-root-ca
----
Hi all,
under Linux I can set up a CA and then enroll my own certificates. It's straight forward
Is that possible to do that with a Windows CA? Root CA is 2008 R2.
So far I understood that Microsoft doesn't seem to allow such action but you can enroll user/PC CSR, you can enroll CSR for Networking devices and for the latter you must use SCEP. It's not contemplated to have whatever CSR enrolled in the Root CA.
I saw the possibility to use the Certificate Enrollment Web Service but the Root CA must be part of a forest but in our company we don't use it.
All comes from a HP built-in web server that gives me the possibility to enroll at the CA its own CSR, I get it in PEM format but then I don't know how to enroll it on our 2008 R2 Root CA. The same question would be if the CSR were generated by openssl in Linux.
If what I'm asking is not possible, would be possible to have a link that explains the model Microsoft
uses for their PKI and a page that explains by what the vary versions of the Windows server differ wrt the PKI featured offered?
In the process of learning I always hit my head at the templates that in my opinion should ease the task of an Administrator but sometimes it's more a must before having a PKI working.
Thanks a lot in advance,
Alex