Planning for autoenrollment deployment

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Planning for autoenrollment deployment

Autoenrollment is a useful feature of certification services in Windows XP and Windows Server 2003, Standard Edition. Autoenrollment allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject.

To properly configure subject autoenrollment, the administrator must plan the appropriate certificate template or templates to use. Several settings in the certificate template directly affect the behavior of subject autoenrollment.

  • On the Request Handling tab of the selected certificate template, the selection of an autoenrollment user interaction setting will affect autoenrollment:

    Setting Affect on autoenrollment behavior

    Enroll subject without requiring any user input

    This setting will allow "silent" autoenrollment without requiring the user to take any action. This setting is preferred when clients require certificates but may not be aware that they are using them.

    Prompt the user during enrollment

    The user will receive a message and may need to take an action when enrollment is performed. This action may be necessary when the certificate is intended for a smart card, which would require the user to provide their personal identification (PIN).

    Prompt the user during enrollment and require user input when the private key is used

    This setting prompts the user both during enrollment and whenever the private key is used. This is the most interactive autoenrollment behavior, as it requires the user to confirm all use of the private key. It is also the setting that provides the highest level of user awareness regarding key usage.

    Caution

    • This setting is provided to the client during certificate enrollment. The client should follow the configuration setting, but the setting is not enforced by the certification authority.

  • On the Request Handling tab of the selected certificate template, the number of CSPs that are selected in the CSP Selection list box changes the behavior of autoenrollment for smart card templates. If you select more than one smart card CSP, users may receive more than one dialog box when Windows XP retrieves the autoenrolled certificate and begins to install it on the smart card. It is recommended that only one CSP be selected from this list for each template.

  • On the Subject Name tab of the selected certificate template, selecting the Supply in the request option disables autoenrollment based on this template. Enabling the option prompts the subject to interactively create the subject name in the request, which will not work with autoenrollment.

  • On the Issuance Requirements tab of the selected certificate template, selecting This number of authorized signatures and making the value greater than 1 disables subject autoenrollment based on this template.

  • On the Issuance Requirements tab of the selected certificate template, selecting This number of authorized signatures and setting the value to 1 requires the requester to sign the request with a private key from a valid certificate in their certificate store. This certificate must contain the application and issuance policies that are specified in the Application policy and Issuance policies lists on the same tab. If an appropriate certificate exists in the requester's certificate store, autoenrollment signs the request with this certificate's private key and obtains and installs the requested certificate automatically.

  • On the Issuance Requirements tab of the selected certificate template, the Valid existing certificate option may affect subject autoenrollment. This option tells the CA that the subject does not need to meet issuance requirements when renewing a valid certificate. Subjects who may have been unable to autoenroll for the initial certificate may be able to use autoenrollment to renew that certificate.

  • On the General tab of the selected certificate template, the Validity period and Renewal period settings specify the valid lifetime of the certificate and how long before the end of its lifetime autoenrollment will request a renewal. Because the validity period can be very short and the renewal period may overlap, autoenrollment will not renew a certificate until at least 80% of the certificate lifetime has expired or when the renewal interval period specified on the template is reached, with preference given to the shortest remaining certificate validity time period. For example:

    • For a certificate with a validity period of 10 days and a renewal period set to 3 days, autoenrollment will not renew the certificate until 8 days (80%) has passed.

    • For a certificate with a validity period of 10 days and a renewal period set to 1 day, autoenrollment will not renew the certificate until 9 days (90%) has passed.

    This prevents autoenrollment from endlessly renewing a certificate due to misconfigured validity and renewal period settings.

Note

  • Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, is required to configure version 2 certificate templates for autoenrollment requests. However, autoenrollment manages certificates or pending certificate requests based on any version of certificate template.

  • By default, certificate autoenrollment occurs on an eight hour cycle. Also, there is a built-in tolerance for a one-hour clock skew for checking whether a certificate is expired.