License editions: To understand the applicable license editions, seePlans & Pricing.
Overview
This topic describes the procedure to set up automatic certificate enrollment in Active Directory.
Before you begin
Your user account must be part of Enterprise Admins and Cert Publishers group.
You must logon to Active Directory Certificate Server (AD CS).
Step 1 - Create a security group
To create a security group on Active Directory
On DC1, click Start> Administrative Tools, and then click Server Manager.
In the navigation pane, expand Roles, expand Active Directory Domain Services, expand Active Directory Users and Computers, expand contoso.com, right-click Users, click New, and then click Group.
In the New Object - Group dialog box, in the Group name text box, type a name for the group. Example: AutoEnrollGroup.
Click OK. Leave Server Manager running with the Computers container shown in the results pane.
Step 2 - Create a certificate template to enroll
To create a certificate template
Open the Certificate Templates Console
From the Start menu, click Run.
Type certtmpl.msc in the text box and click OK. Certificate Templates Console window appears on the page.
Right-click the User template, and then click Duplicate Template.
Under General tab,
Type a Template display name. For example, User Auto Enroll.
(Optional) Modify the default Validity Period and Renewal Period as per your requirements.
Select Publish certificate in Active Directory check box.
Select Do not Automatically reenroll if duplicate certificate exists in Active Directory check box.
Under Request Handling tab,
Click the Cryptography tab, enter Minimum key size as 4096.
Under Security tab,
Under Extensions tab,
Click Apply and then click OK.
Close the Certificate Templates Console.
Step 3 - Add certificate template to the certification authority
To add certificate template to the certification authority
Open the Certificate Authority.
From the Start menu, click Run.
Type certsrv.msc and click OK.
Right-click Certificate Templates, click New, and then click Certificate Template to Issue.
βSelect the certificate template, for example - 'User Auto Enroll' in this case, and click OK.
βEnsure the certificate template is added to your Certification Authority.
β
Step 4 - Create group policy for auto enrollment
To create a group policy for auto enrollment
Launch the Group Policy Management console.
From the Start menu, click Run.
Type gpmc.msc in the text box, and click OK.
In the left pane, on the Domain Controller, right-click and select Create a Gpo in this domain, and Link it here. New GPO dialog box appears on the page.
βType a Name for the group policy and click OK.
βRight-click on the newly created group policy, and click Edit.
Go to User Configuration> Windows Settings > Security Settings > Public Key Policies and then under Object Type section in the right pane, select Certificate Services Client - Auto-Enrollment.
βRight-click on Certificate Services Client - Auto-Enrollment and click Properties.
Under Enrollment Policy Configuration tab,
Save your changes and close the Group Policy Management console.