Issue Certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can issue certificates to users, computers, and services after the required certificate services are installed and configured. Keep the following considerations in mind when you start to issue certificates:

• Certificates are issued for computers within the scope of the Automatic Certificate Request settings of the Group Policy. Domain Administrators can also manually request certificates for local computers by using the Certificate Request Wizard or the Microsoft Certificate Services Web pages. Consider scheduling manual enrollment in stages to help distribute the administrative workload for computer enrollment.

• Smart card administrators can start issuing smart card certificates by using the Smart Card Enrollment Station available on the Microsoft Certificate Services Web pages. Consider scheduling smart card enrollment in stages to help distribute the administrative workload for smart card enrollment.

During the transition to smart cards, both smart card authentication and interactive logon with domain credentials should be enabled. Because this weakens network security, configure user account policy to require smart cards for interactive logon as soon as smart card users are trained and are using their cards.

Monitor the performance of certificate services closely as you start issuing certificates to ensure that CAs handle the certificate load. To correct excessive load conditions, consider adding more issuing CAs or scheduling certificate enrollment in smaller stages. Certificate renewal might also produce excessive load conditions. Adding more CAs and scheduling certificate enrollment in smaller stages can also help distribute peak renewal loads.