Selecting Automatic vs. Manual Requests

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Whether you choose to generate certificate requests automatically or manually depends on the types of certificates that you intend to use and the number and type of clients that you enroll. For example, if you want all users or computers to use a certain type of certificate, it is not practical for you to require that each certificate be requested individually. Although rolling out a new certificate to all users or computers at one time can generate a large amount of network activity, you can control that activity by deploying the certificate requests for each organizational unit one at a time.

On the other hand, you might want to have users or an administrator request certain high-security certificates, such as those used for digital signing or administrative tasks, only when needed. This can improve administrative control over these certificates — particularly if certificate use is not limited by a user or computer OU, or security group membership.

You can improve control over your certificates by using one of the following options to limit user certificate requests:

• Restrict access to specific templates. Configure the discretionary access control list (DACL) for each template so that only the required security principals have Enroll and Read permissions for particular templates.

• Automate the deployment of computer certificates. Configure Group Policy to automatically assign the necessary computer certificates by adding the certificate template to the Automatic Certificate Request Settings option in Group Policy.

  Tip

  • Autoenrollment is most useful for issuing and renewing computer and IPSec certificates.