Selecting a Certificate Enrollment and Renewal Method

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To enable enrollment, you need to specify the enrollment and renewal processes for your certificates. Enrollment involves either configuring permissions to establish which security principals have Enroll permissions for specific templates (in the case of enterprise CAs) or appointing a certificate administrator who reviews each certificate request and issues or denies the request based on the information provided.

Microsoft Certificate Services supports the ability to process certificate requests manually, if administrative approval is required, or automatically, if no approval is necessary. The following enrollment and renewal methods are available:

  • Certificate autoenrollment and renewal. Allows you to automatically issue certificates that enable PKI applications, such as smart card logon, EFS, SSL, and S/MIME, to users and computers within an Active Directory environment. Certificate autoenrollment is based on a combination of Group Policy settings and certificate templates, which allows you to enroll computers when they start up and to enroll users when they log on to their domain.

    Note

    • To use autoenrollment, you need a Windows Server 2003 domain controller, a Windows XP Professional client, and a Windows Server 2003 Advanced Server enterprise CA.
  • Certificate Request Wizard and Certificate Renewal Wizard. Available from the Certificates console, you can use the Certificate Request Wizard to request a certificate from an active enterprise CA on behalf of a user, computer, or service.

    Note

    • This option can only be used for Windows 2000, Windows Server 2003, and Windows XP users, computers, and services.
  • Web Enrollment Support pages. Contain Active Server Pages and ActiveX controls that provide a Web-based user interface to a CA. By default, the Web Enrollment Support pages are automatically installed on the computer on which the CA is installed, but you can also install the Web Enrollment Support pages on another Windows Server 2003 computer. You can also customize Web Enrollment Support pages. For example, you can limit user options or provide additional links to online user instructions and user support information.

    Note

    • You can use Web Enrollment Support pages on stand-alone CAs to issue most of the same types of certificates that enterprise CAs can issue, with the exception of certificates for smart card logon and for autoenrollment, which must be issued and renewed by an enterprise CA. The Web Enrollment Support pages that are installed on stand-alone CAs do not use certificate templates, so all information about the certificate, including information about the requester (and, if asking for a specific application, a correct object identifier), must be specified in the certificate request.
  • Smart card enrollment station. Advanced version of the Web Enrollment Support pages that allows trusted administrators or security personnel to enroll for smart card certificates on the behalf of other users. For more information about using the smart card enrollment station, see "Planning a Smart Card Deployment" in this book.

To select the certificate enrollment and renewal processes that are appropriate for your organization, you need to consider the following:

  • The users, computers, and services for which you intend to provide services. Determine whether they are internal or external to the organization. Identify the operating systems they are running and determine whether or not they are connected to Active Directory.

  • The operating system that your clients are using. Clients running Windows Server 2003 and Windows XP can use the Certificate Request Wizard, autoenrollment, or the smart card enrollment station. Windows 2000 supports the Certificate Request Wizard but does not support smart card autoenrollment. Autoenrollment and the smart card enrollment station also require Active Directory. Most other clients can use their Web browsers to access Web-based enrollment and renewal services.

  • The policies that you establish in order to manage certificate distribution. This includes both the procedural policies that you establish for your PKI, and the Group Policy settings that you use to implement those policies.

  • The type of CA that is issuing the certificates. For example, you must have a Windows 2000 or Windows Server 2003 enterprise CA to use the smart card enrollment station. Only Windows Server 2003 CAs support smart card autoenrollment.

Selecting certificate enrollment and renewal processes involves making decisions about the following:

  • Automatic versus manual requests

  • Automatic versus manual approval

  • An enrollment and renewal user interface

  • CA certificate renewal