Configuring certificate publishing in Active Directory

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Configuring certificate publishing in Active Directory

A Microsoft certification authority (CA) can add certificates that have been issued to Active Directory subjects to the appropriate Active Directory object. This provides other users of Active Directory with the ability to easily locate and use the subject's certificate. There are two settings that affect the way this feature works:

  • Publish certificate in Active Directory. When a subject obtains a certificate based on this template, the issued certificate will be added to that subject's Active Directory object.

    Note

    This setting indicates the certificate issued based on the certificate template should be published to the Active Directory Domain Services (AD DS) database. When this setting is enabled, the user or computer object in the AD DS database is updated with the certificate of the user or computer respectively. The private key is not published to the AD DS database. For both computer and user certificates, the userCertificate attribute of the AD DS object is updated with the certificate. The CA must have write permission to the AD DS database user and computer objects to make this update. The permission to write to the computer and user objects in the AD DS database is granted to CAs through their membership in the Cert Publishers group by default. This setting is typically only used with user certificates. When a user’s certificate is published in the AD DS database, other users can search the AD DS database to find the certificate of that user. The certificate can then be used to encrypt email or files to the user whose certificate is published in the AD DS database.

  • Do not automatically re-enroll if a duplicate certificate exists in Active Directory. When the subject attempts to enroll for a certificate based on this template, computers running Windows XP or Windows Server 2003 will check to see if a duplicate certificate exists in Active Directory. If one does, autoenrollment will not submit a re-enrollment request. This allows certificates to be renewed but prevents multiple duplicate certificates from being issued.