Selecting Automatic vs. Manual Approval

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Users can request a certificate from a Windows Server 2003 CA either manually or automatically. This request is held until an administrator approves it, if manual approval is required, or until the verification process is completed. When the certificate request has been approved, the autoenrollment process installs the certificate automatically, or automatically renews the certificate on behalf of the user, based on the specifications in the certificate template.

Most of the time, you choose the same method for certificate approval that you choose for certificate requests — but not always. For example, if you have the appropriate Group Policy and DACL restrictions on your certificate templates, you might decide to approve automatically a certificate request that was generated manually. Conversely, in some cases, it is appropriate to manually approve certificate requests that are automatically generated.

Note

  • You can use strong authentication to enhance the security associated with autoenrollment. With strong authentication, the certificate template uses a specify policy object identifier to require an additional signature on the certificate request. For example, you can set a policy that requires the use of a smart card to provide a stronger authentication method for autoenrollment requests, or you can require approval for automatic certificate requests, so that administrators must approve pending requests.

However, in general:

  • For routine and high volume certificates, such as e-mail certificates, automatic approval is the best option for certificate approval as long as the certificate requester has already been authenticated with a valid set of domain credentials.

  • When a high degree of administrative oversight is required, such as for software code signing certificates, consider processing certificate requests manually. By using the Certificate Request Wizard, you can evaluate every certificate request individually — or you can delegate this responsibility to another administrator.