Configuring Certificate Services Client - Certificate Enrollment Policy Group Policy
If you are using Group Policy, you must configure the Certificate Enrollment Policy Web Service group policy setting to provide the location of the web service to domain members. Otherwise, you must manually configure the server URL on each system as explained in Using Certificate Autoenrollment.
To configure certificate enrollment policy
- On the web server that hosts the Certificate Enrollment Policy Web Service, open Server Manager.
- In the console tree, expand Roles, and then expand Web Server (IIS).
- Click Internet Information Services (IIS) Manager.
-
In the console tree, expand Sites, and click the web service application that begins with ADPolicyProvider_CEP.
Note: The name of the application is ADPolicyProvider_CEP_AuthenticationType , where AuthenticationType is the web service authentication type.
- Under ASP.NET, double-click Application Settings.
- Double-click URI, and copy the URI value.
- Click Start, type gpmc.msc in the Search programs and files box, and press ENTER.
- In the console tree, expand the forest and domain that contain the policy that you want to edit, and click Group Policy Objects.
- Right-click the policy that you want to edit, and then click Edit.
- In the console tree, navigate to User Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
- Double-click Certificate Services Client – Certificate Enrollment Policy.
- Click Add to open the Certificate Enrollment Policy Server dialog.
- In the Enter enrollment policy server URI box, type or paste the certificate enrollment policy server URI obtained earlier.
- In the Authentication type list, select the authentication type required by the enrollment policy server (Kerberos).
- Click Validate, and review the messages in the Certificate enrollment policy server properties area.
-
Click Add.
The Add button is available only when the enrollment policy server URI and authentication type are valid.
- In the Group Policy Object Editor, navigate to Computer Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
- Repeat steps 11-16 for machine configuration.
Configuring Certificate Services Client - Auto-Enrollment Group Policy
If you are using Group Policy, you must enable Certificate Autoenrollment in Group Policy, otherwise, Group Policy may disable Certificate Autoenrollment. If you are not using Group Policy, Certificate Autoenrollment is enabled on each host by default.
To enable Certificate Autoenrollment using Group Policy
- On a domain controller running Windows Server 2008 R2 open the Start menu and navigate to Administrative Tools | Group Policy Management.
- In the console tree, double-click Group Policy Objects in the forest and domain containing the Group Policy Object (GPO) that you want to edit.
- Right-click the GPO, and click Edit.
- In the Group Policy Object Editor, navigate to User Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
- Double-click Certificate Services Client - Auto-Enrollment.
- Next to Configuration Model, select Enabled from the drop-down list to enable autoenrollment.
- Click OK to accept your changes.
- In the Group Policy Object Editor, navigate to Computer Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
- Repeat steps 5-7 for machine configuration.
Configuring Certificate Templates for autoenrollment
Certificate enrollment is based on templates which define the properties of certificates generated by the Certificate Authority (CA) when clients request certificates.
To create a new certificate template
- On the server hosting your Enterprise CA, click Start, select Administrative Tools, and click Certification Authority.
- In the console tree, expand the CA root node, select Certificate Templates, and click Manage.
- In the Certificate Templates console, select the template that you would like to enable for autoenrollment, or create a new template.
- Double-click the template to open its properties and select the Security tab.
- Add the users and machines that you want to automatically enroll for the certificate and select the Autoenroll permission option.
- Click Apply.
Using Certificate Autoenrollment
Certificate Autoenrollment is an automatic process that runs as-needed on client systems according to Group Policy or according to manual configuration if you are not using Group Policy. Certificate Autoenrollment typically requires no user interaction. After Certificate Autoenrollment is complete, certificates appear in the user's keychain for user-based enrollment or in the system keychain for machine-based enrollment.
Certificate Autoenrollment runs when:
- A user logs in
- Group Policy machine processing occurs (at machine startup and periodically thereafter)
- vascert trigger runs manually (for machine-based enrollment)
If Group Policy is in use and a Certificate Services Client - Auto-Enrollment Group Policy indicates that Certificate Autoenrollment should occur, then the Certificate Autoenrollment client runs. The Certificate Autoenrollment client then downloads and evaluates Certificate Autoenrollment policy and uses this information to determine whether any certificates should be enrolled.
The following sections explain how to manually configure Certificate Autoenrollment if you are not using Group Policy. In most cases you will use the /opt/quest/bin/vascert command, the Certificate Autoenrollment processor for Unix and Mac clients.