Introduction (Certificate Autoenrollment in Windows Server 2003)

  • Article

Applies To: Windows Server 2003 with SP1

Microsoft Windows Server 2003, Enterprise Edition introduces the capability to automatically enroll users and computers for certificatesincluding smart cardbased certificates.

Using the autoenrollment feature, organizations can manage the certificate lifecycle for users, which includes:

  • Certificate renewal

  • Superseding of certificates

  • Multiple signature requirements

Certificate autoenrollment is based on the combination of Group Policy settings and version 2 certificate templates. This combination allows the Windows XP Professional or Windows Server 2003 client to enroll users when they log on to their domain, or a machine when it boots, and keeps them periodically updated between these events.

Automatic enrollment of user certificates provides a quick and simple way to issue certificates to users and to enable public key infrastructure (PKI) applications, such as smart card logon, Encrypting File System (EFS), Secure Sockets Layer (SSL), Secure/Multipurpose Internet Mail Extensions (S/MIME), and others, within an Active Directory directory service environment. User autoenrollment minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) for a PKI implementation when Windows XP Professional clients are configured to use Active Directory.

Supports Pending Certificate Requests and Certificate Renewal

User autoenrollment in Windows XP Professional and Windows Server 2003 supports both pending certificate requests and renewal features.

Requesting a Certificate

You can manually or automatically request a certificate from a Windows Server 2003 certification authority (CA). This request is held until administrative approval is received or the verification process is completed. Once the certificate has been approved or issued, the autoenrollment process completes and installs your certificate automatically.

Renewing a Certificate

The process for renewing an expired user certificate also takes advantage of the autoenrollment mechanism. Certificates are automatically renewed on behalf of the userdependent on the specifications in the certificate template.

Dependencies

The autoenrollment feature has several infrastructure requirements. These include:

  • Windows Server 2003 schema and Group Policy updates

  • Windows 2000 Server domain controllers running Service Pack 3 or later

  • Windows XP Professional or Windows Server 2003 clients

  • Windows Server 2003, Enterprise Edition or Datacenter Edition running as an Enterprise CA

Note

Autoenrollment Group Policy settings may only be applied when using a Windows XP Professional or Windows Server 2003 computer.

Topics Covered

  • How Autoenrollment Works

  • Configuring Certificate Templates

  • Configuring an Enterprise CA

  • Configuring Group Policy

  • User Autoenrollment

  • Certificate Renewal

  • Autoenrollment Functions

  • Updating Group Policy

  • Advanced Features

  • Supported Hardware

  • Troubleshooting