Manage Certificate Enrollment Policy by Using Group Policy

Applies To: Windows Server 2008 R2

This topic describes the procedures and applications used to configure the certificate enrollment policy settings.

Configuring certificate enrollment policy settings by using Group Policy

Domain Admins is the minimum group membership required to complete this procedure.

To configure certificate enrollment policy settings in Group Policy

  1. Click Start, type gpmc.msc in the Search programs and files box, and press ENTER.

  2. In the console tree, expand the forest and domain that contain the policy that you want to edit, and click Group Policy Objects.

  3. Right-click the policy that you want to edit, and then click Edit.

  4. In the console tree under Computer Configuration\Policies\Windows Settings\Security Settings, click Public Key Policies.

  5. Double-click Certificate Services Client – Certificate Enrollment Policy. For more information about the settings in this dialog box, see the "Certificate Services Client – Certificate Enrollment Policy Properties dialog box" table later in this topic.

  6. Click Add to open the Certificate Enrollment Policy Server dialog box. For more information about the settings in this dialog box, see the "Certificate Enrollment Policy Server dialog box" table later in this topic.

  7. Do one of the following:

    • To add the enrollment policy provided by Active Directory Domain Services (AD DS), select the Use default Active Directory domain controller URI check box.

    • In the Enter enrollment policy server URI box, type a certificate enrollment policy server URI.

  8. In the Authentication type list, select the authentication type required by the enrollment policy server.

  9. Click Validate, and review the messages in the Certificate enrollment policy server properties area. The Add button is available only when the enrollment policy server URI and authentication type are valid.

  10. Click Add.

Note

If the added enrollment policy server supports an enrollment policy that is already displayed in Certificate enrollment policy list, then the added server will not be displayed separately. Click Properties to verify that the added enrollment policy server is displayed in the Enrollment policy servers list. For more information about the settings in this dialog box, see the "Certificate Enrollment Policy Server Properties dialog box" table later in this topic.

User interface reference

The following tables describe the settings available in the Certificate Services Client – Certificate Enrollment Policy Properties dialog box, the Certificate Enrollment Policy Server dialog box, and the Certificate Enrollment Policy Server Properties dialog box.

Certificate Services Client – Certificate Enrollment Policy Properties dialog box

Setting Description

Configuration Model

Specifies whether the policy setting is enabled in Group Policy.

Certificate enrollment policy list

Displays the list of enrollment policies that are included in the policy setting. One of the displayed policies must be specified as the default policy by selecting the Default check box.

Add

Opens the Certificate Enrollment Policy Server dialog box, which is used to add an enrollment policy server.

Remove

Removes the selected enrollment policy and all associated enrollment policy servers from the list.

Properties

Opens the Certificate Enrollment Policy Server Properties dialog box, which displays the policy details and list of enrollment policy servers for the selected enrollment policy.

Disable user configured enrollment policy

Disables the enrollment policy configured by users and applications. Only an enrollment policy configured in Group Policy is used.

Certificate Enrollment Policy Server dialog box

Setting Description

Use default Active Directory domain controller URI

Specifies the default enrollment policy server LDAP URI and the Windows integrated authentication type.

Configure Friendly Name

This button is available only when Use default Active Directory domain controller URI is selected.

Used to configure a name for the enrollment policy that is displayed instead of the default policy name or enrollment policy identifier. The specified name is seen by users in the Certificate Enrollment wizard and other applications.

Note
If more than one enrollment policy server supports the same enrollment policy, then each server should be configured to use the same enrollment policy friendly name. In enrollment policy Web services, the friendly name value is an application setting that is configured by using Server Manager. If the friendly name setting is already configured in each enrollment policy Web service, then add the enrollment policy Web service URIs before adding the domain controller LDAP URI. This will ensure that the friendly name values are the same.

Enter enrollment policy server URI

Specifies the URI of the Certificate Enrollment Policy Web Service. The URI must use HTTPS.

Authentication type

Specifies the type of authentication that is used to connect to the specified URI. The specified authentication type must match the authentication type that is required by the Certificate Enrollment Policy Web Service.

The following authentication types are available:

  • Anonymous. No credentials are provided when connecting to the certificate enrollment policy server.

  • Windows integrated. Windows integrated authentication uses the Kerberos protocol and is appropriate for AD DS domain members.

  • Username/password. During certificate enrollment, users will be prompted to enter a user name and password.

  • X.509 Certificate. During certificate enrollment, users will be prompted to select a certificate for authentication.

Validate

Connects to the specified URI by using the specified authentication type to verify the following details:

  • An SSL connection to the enrollment policy server exists.

  • A valid enrollment policy is returned by the enrollment policy server.

  • The enrollment policy is not already included in the Group Policy setting.

Validation is required for an enrollment policy server URI before it can be added. If the specified URI and authentication type are valid, the enrollment policy identifier and friendly name are displayed. Warning or error messages are displayed if there is a problem with validation.

Add

Adds the enrollment policy server URI and validated enrollment policy to the Group Policy setting. The Add button is available only after the enrollment policy server URI and authentication type are validated.

Certificate Enrollment Policy Server Properties dialog box

Setting Description

Enrollment policy servers list

Displays the list of enrollment policy servers that support the enrollment policy.

Remove

Removes the selected enrollment policy server. If all enrollment policy servers are removed, the enrollment policy will also be removed.

Enable for automatic enrollment and renewal

Specifies that the enrollment policy is used for autoenrollment when autoenrollment is enabled.

On computers running Windows 7 that are not members of a domain, autoenrollment is enabled by default. On computers that are members of a domain, autoenrollment must be enabled in Group Policy. See Managing Certificate Enrollment (https://go.microsoft.com/fwlink/?LinkId=143282) for autoenrollment configuration procedures.

Require strong validation during enrollment

Specifies that enrollment clients require validation of the issuing CA's certification path during enrollment.

Additional references