Configure Certificate Publishing in Active Directory Domain Services

  • Article

Applies To: Windows Server 2008 R2

A Windows Server–based certification authority (CA) can add certificates that have been issued to Active Directory subjects to the appropriate Active Directory object. This allows other users of Active Directory Domain Services (AD DS) to easily locate and use the subject's certificate. There are two settings (located on the General tab of the certificate template's property sheet) that affect the way this feature works:

  • Publish certificate in Active Directory. When a subject obtains a certificate based on this template, the issued certificate will be added to that subject's Active Directory object.

Note

This setting indicates the certificate issued based on the certificate template should be published to the Active Directory Domain Services (AD DS) database. When this setting is enabled, the user or computer object in the AD DS database is updated with the certificate of the user or computer respectively. The private key is not published to the AD DS database. For both computer and user certificates, the userCertificate attribute of the AD DS object is updated with the certificate. The CA must have write permission to the AD DS database user and computer objects to make this update. The permission to write to the computer and user objects in the AD DS database is granted to CAs through their membership in the Cert Publishers group by default. This setting is typically only used with user certificates. When a user’s certificate is published in the AD DS database, other users can search the AD DS database to find the certificate of that user. The certificate can then be used to encrypt email or files to the user whose certificate is published in the AD DS database.

  • Do not automatically re-enroll if a duplicate certificate exists in Active Directory. When the subject attempts to enroll for a certificate based on this template, computers running Windows XP or later will search for a duplicate certificate in AD DS. If one exists, autoenrollment will not submit a re-enrollment request. This allows certificates to be renewed but prevents multiple duplicate certificates from being issued.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure certificate publishing in AD DS

  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the General tab, select the check box for the appropriate Active Directory setting, and then click Apply.

Additional references