Prior to installing One Identity Certificate Autoenrollment, ensure your system meets the following minimum hardware and software requirements.
Table 2: Certificate Autoenrollment: Minimum requirements
Operating system |
macOS 10.13 (or later) |
Java unlimited strength policy files |
For more information, see For more information, see Java requirement: Unlimited Strength Jurisdiction Policy Files.. |
Authentication Services |
One Identity Authentication Services version 4.1.2 (or later). |
Additional software |
Certificate Autoenrollment depends on services provided by a Microsoft Enterprise Certificate Authority (CA) in your environment.
In addition to Active Directory and an Enterprise CA, you must install the following software in your environment:
In order for Certificate Autoenrollment to function on client computers, you must configure the following policies:
Additionally, you must configure Java 1.6 (or later) as the default JVM for your system.
NOTE: Install JRE (Java Runtime Environment) on all platforms other than macOS. macOS requires JDK (Java Development Kit). Typing java on the command line provides instructions.
-
For Linux/UNIX operating systems, install JRE 1.6 (or later).
-
For Mac OS X (that is, your operating system tells you to get it from Apple), install what Apple provides (JRE).
-
For macOS (that is, your operating system tells you to get it from Oracle), install the JDK. |
Rights |
Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy (only if Certificate Autoenrollment is not already configured for Windows hosts in your environment.) |
By default, most JRE and JDK implementations enforce limits on cryptographic key strengths that satisfy US export regulations. These limits are often insufficient for Certificate Autoenrollment and may lead to "java.security.InvalidKeyException: Illegal key size" failures. The "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" can be installed to remove these limits and enable Certificate Autoenrollment to function properly.
Do I need the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files?
In general the answer is: Yes, these files are needed.
Java 9 and above do not require these files, but Java 6, 7, and 8 rely on these files.
Obtaining and installing the policy files
For Java implementations from IBM, the policy files are usually bundled with the JDK but not the JRE, so it may be more convenient to install the JDK rather than just the JRE. Once the JDK is installed its demo/jce/policy-files/unrestricted directory should contain two JAR files:
-
local_policy.jar
-
US_export_policy.jar
Use these files to replace the corresponding JAR files in the jre/lib/security directory of the JDK. Alternatively, the "Unrestricted SDK JCE policy files" can be downloaded from ibm.com.
For Java implementations from Sun, Oracle and Apple and for OpenJDK implementations, the policy files must be downloaded from Oracle. Each major Java version requires its own policy files:
Each of these downloads is a zip file that includes a README.txt and two JAR files, local_policy.jar and US_export_policy.jar. Use these JAR files to replace the corresponding files in the JRE or JDK:
The following procedures walk you through the installation and configuration of the required components. If Certificate Autoenrollment is already configured for Windows hosts in your environment, you can skip to Using Certificate Autoenrollment.
To perform these procedures, you need Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy.
Note: Microsoft has documented all of the steps to install and configure Certificate Enrollment Web Services.
Certificate Enrollment Web Services are now installed. Next, you will configure policy settings to enable Certificate Autoenrollment.
If you are using Group Policy, you must configure the Certificate Enrollment Policy Web Service group policy setting to provide the location of the web service to domain members. Otherwise, you must manually configure the server URL on each system as explained in Using Certificate Autoenrollment.
To configure certificate enrollment policy
-
On the web server that hosts the Certificate Enrollment Policy Web Service, open Server Manager.
-
In the console tree, expand Roles, then expand Web Server (IIS).
-
Click Internet Information Services (IIS) Manager.
-
In the console tree, expand Sites, and click the web service application that begins with ADPolicyProvider_CEP.
Note: The name of the application is ADPolicyProvider_CEP_AuthenticationType, where AuthenticationType is the web service authentication type.
-
Under ASP.NET, double-click Application Settings.
-
Double-click URI, and copy the URI value.
-
Click Start, type gpmc.msc in the Search programs and files box, and press Enter.
-
In the console tree, expand the forest and domain that contain the policy that you want to edit, and click Group Policy Objects.
-
Right-click the policy that you want to edit, then click Edit.
-
In the console tree, navigate to User Configuration > Policies > Windows Settings > Security Settings and click Public Key Policies.
-
Double-click Certificate Services Client – Certificate Enrollment Policy.
-
Click Add to open the Certificate Enrollment Policy Server dialog.
-
In the Enter enrollment policy server URI box, type or paste the certificate enrollment policy server URI obtained earlier.
-
In the Authentication type list, select the authentication type required by the enrollment policy server (Kerberos).
-
Click Validate, and review the messages in the Certificate enrollment policy server properties area.
-
Click Add.
The Add button is available only when the enrollment policy server URI and authentication type are valid.
-
In the Group Policy Object Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings and click Public Key Policies.
-
Repeat steps 11-16 for machine configuration.