Certificate Services example implementation: Establishing autoenrollment for user certificates

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certificate Services example implementation: Establishing autoenrollment for user certificates

These tasks are required for using key recovery on a Microsoft certification authority (CA):

  1. Duplicate the User template and use the copy for autoenrollment

  2. Configure an enterprise certification authority to issue the Autoenrolled User certificate

  3. Establish policy for autoenrollment of Domain Users

Prerequisites

Before doing these tasks, for the purposes of this walkthrough:

  • The Windows Server 2003 domain controller must also be configured as an enterprise subordinate or root CA. The CA is referred to by the name EntCA in this walkthrough.

Duplicate the User template and use the copy for autoenrollment

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Under Snap-in, double-click Certificate Templates, click Close, and then click OK.

  4. In the console tree, click Certificate Templates. All of the certificate templates will be displayed in the details pane.

  5. In the details pane, click the User template.

  6. On the Action menu, click Duplicate Template.

  7. In the Display Name field, type Autoenrolled User.

  8. Make sure that the Publish Certificate in Active Directory check box is selected.

  9. Click the Security tab.

  10. In the Group or user names field, click Domain Users.

  11. In the Permissions for Domain Users list, select the Enroll and Autoenroll permission check boxes and then click OK.

    Autoenrolling Domain Users is an example. These permission settings are variable, depending on who you want to autoenroll for these certificates.

Configure an enterprise certification authority to issue the Autoenrolled User certificate

  1. Open Certification Authority.

  2. In the console tree, click Certificate Templates.

    Where?

    • Certification Authority/CA name/Certificate Templates

  3. On the Action menu, point to New, and then click Certificate to Issue.

  4. Click Autoenrolled User and click OK.

Note

  • To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

Establish policy for autoenrollment of Domain Users

You must be using the Windows Server 2003 Active Directory schema for this procedure to work.

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Under Snap-in, double-click Active Directory Users and Computers, click Close, and then click OK.

  4. In the console tree, click the domain name.

    Where?

    • Active Directory Users and Computers/Domain name

  5. On the Action menu, click Properties.

  6. Click the Group Policy tab and click Edit.

  7. In the console tree, click Public Key Policies under User Configuration.

    Where?

    • Default Domain Policy/User Configuration/Windows Settings/Security Settings/Public Key Policies

  8. In the details pane, double-click Autoenrollment Settings.

  9. Click Enroll certificates automatically.

  10. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.

  11. Select the Update certificates that use certificate templates check box and click OK.

  12. Click File, click Exit, and then click OK.

Notes

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • Unless users refresh their security policy using the GPUpdate command, it will take a number of hours for the autoenrollment policy to take effect.

  • When autoenrollment retrieves a certificate that is configured to be stored on a smart card, you will receive a message when the certificate is ready to be stored on the smart card. If the message refers to a type of smart card that you do not have, click Cancel until the correct smart card type appears. You then provide the smart card PIN and the certificate will be stored on the smart card.

  • When autoenrollment enrolls for a certificate that requires user interaction for the enrollment process, you will receive a Certificate Enrollment message and an icon appears on your taskbar. Clicking that icon or message begins the certificate autoenrollment process.