Share via


Certificate auto-enrollment configuration and certificate template version

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm

For the most part configuring certificate auto-enrollment is a fairly straight forward and well-documented process (see links below).

https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx

Nevertheless, there is one aspect that may not be quite intuitive and it has to do with the certificate templates versions. As you probably are aware Microsoft Enterprise CA supports two types of templates: V1 and V2. V2 templates allow customization and therefore are preferred, but require CA to be running on Windows 2003 Server Enterprise Edition. So where is the non-intuitive part? Well, the auto-enrollment configuration process will differ depending on the type of the template the certificate is based on.

To configure auto-enrollment for certificates based on V2 templates follow these steps:

1. Open Certificate Template MMC and ensure that the template in question has appropriate permissions. For example, if you plan to auto-enroll a group of web servers for a certificate based on V2 template, ensure that those hosts have auto-enroll and read permissions on the template (I would recommend creating a group and assign permissions to the group).

2. In the GPO where the hosts reside configure the following setting – Public Key Policies->Autoenrollment Settings. Set Enroll certificates automatically, also enable renew and update options.

To configure auto-enrollment for certificates based on V1 templates follow these steps:

1. Open Certificate Template MMC and ensure that the template in question has appropriate permissions. For example, if you plan to auto-enroll a group of web servers for a certificate based on V1 template, ensure that those hosts have enroll and read permissions on the template (I would recommend creating a group and assign permissions to the group).

2. In the GPO where the hosts reside configure the following setting – Public Key Policies->Autoenrollment Settings. Set Enroll certificates automatically, also enable renew and update options.

3. In the GPO where the hosts reside configure the following setting – Computer Configuration/Windows Settings/Public Key Policies/Automatic Certificate Request Settings by right-clicking on this configuration node and choosing new Automatic Certificate Request. On the next screen select the template (note that only V1 type of templates will show-up) and click on Finish.

 

 

In both cases make sure to update the GPO by running gpupdate /force.

Comments