We have PKI setup in our lab with 1 root, 1 issuing CA and 1 CDP. We have an edge network in our lab using a RODC (Read Only Domain Controller) and a serverX in that RODC edge network. There is a firwall between the network that the root, CA and CDP are on, and the network the RODC and serverX are on.
We do not have "certificate services client - credential roaming" enabled in Active Directory. We have a user certificate template and a computer certificate template. Both have autoenroll turned on in security, "Domain Users" for the user certificate and "Domain Computers" for the computer certificate. Neither the user nor the computer certificate is being published into Active Directory.
Since serverX is behind a firewall, we would expect that it would not receive either the user or computer certificate from the issuing CA, without us having to open some ports and this is indeed what we are seeing. However, if we go into the local computer -> personal certificate folder on serverX, and then right click all tasks -> request new certificate, we will see the computer certificate as being available to request. If we try to enroll the presented computer certificate, it will fail as expected.
How is the server certificate being presented as available to serverX if we have not opened up the ports on the firewall? How is serverX getting the list of available certs if it cannot contact the issuing CA?