Installing Certificate Enrollment Web Services
Note: Microsoft has documented all of the steps to install and configure certificate enrollment Web services.
To set up certificate enrollment Web services
1. Review the requirements as specified by Microsoft at: http://technet.microsoft.com/en-us/library/dd759243.aspx.
2. Follow the instructions at: http://technet.microsoft.com/en-us/library/dd759241.aspx to install the Certificate
Enrollment Web Service.
3. Follow the instructions at: http://technet.microsoft.com/en-us/library/dd759214.aspx to install the Certificate
Enrollment Policy Web Service.
4. Follow the instructions at: http://technet.microsoft.com/en-us/library/dd759140.aspx to configure server
certificates for HTTPS.
Certificate enrollment Web services are now installed. Next, configure policy settings to enable Certificate
Autoenrollment.
Configuring Certificate Services Client - Certificate Enrollment Policy Group Policy
If you are using Group Policy you must configure the Certificate Enrollment Policy Web Service group policy setting
to provide the location of the Web service to domain members. Otherwise, you must manually configure the server
URL on each system.
To configure certificate enrollment policy
1. On the Web server that hosts the Certificate Enrollment Policy Web Service, open Server Manager.
2. In the console tree, expand Roles, and then expand Web Server (IIS).
3. Click Internet Information Services (IIS) Manager.
4. In the console tree, expand Sites, and click the Web service application that begins with ADPolicyProvider_CEP.
Note: The name of the application is ADPolicyProvider_CEP_AuthenticationType where
AuthenticationType is the Web service authentication type.
5. Under ASP.NET, double-click Application Settings.
Quest One Certificate Autoenrollment Administrator's Guide | Introducing Quest One Certificate Autoenrollment | 13
6. Double-click URI, and copy the URI value.
7. Click Start, type gpmc.msc in the Search programs and files box, and press ENTER.
8. In the console tree, expand the forest and domain that contain the policy that you want to edit, and click Group
Policy Objects.
9. Right-click the policy that you want to edit, and click Edit.
10. In the console tree, navigate to User Configuration | Policies | Windows Settings | Security Settings and click
Public Key Policies.
11. Double-click Certificate Services Client – Certificate Enrollment Policy.
12. Click Add to open the Certificate Enrollment Policy Server dialog.
13. In the Enter enrollment policy server URI box, type or paste the certificate enrollment policy server URI value
obtained earlier.
14. In the Authentication type list, select the authentication type required by the enrollment policy server. (Kerberos)
15. Click Validate, and review the messages in the Certificate enrollment policy server properties area.
16. Click Add.
The Add button is available only when the enrollment policy server URI and authentication type are valid.
17. In the Group Policy Object Editor, navigate to Computer Configuration | Policies | Windows Settings |
Security Settings and click Public Key Policies.
18. Repeat steps 11-16 for machine configuration.
Configuring Certificate Services Client - Auto-Enrollment Group Policy
If you are using Group Policy, you must enable Certificate Autoenrollment in Group Policy otherwise, Group Policy may disable Certificate Autoenrollment. If you are not using Group Policy, Certificate Autoenrollment is enabled on each host by default.
To enable Certificate Autoenrollment using Group Policy
1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, select
Administrative Tools, and click Group Policy Management.
2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Group Policy
Object (GPO) that you want to edit.
3. Right-click the GPO, and click Edit.
4. In the Group Policy Object Editor, navigate to User Configuration | Windows Settings | Security Settings and
click Public Key Policies.
5. Double-click Certificate Services Client - Auto-Enrollment.
6. Next to Configuration Model:, select Enabled from the drop-down list to enable auto-enrollment.
7. Click OK to accept your changes.
8. In the Group Policy Object Editor, navigate to Computer Configuration | Windows Settings | Security Settings
and click Public Key Policies.
9. Repeat steps 5-7 for machine configuration.
Configuring Certificate Templates for Auto-enrollment
Certificate enrollment is based on templates which define the properties of certificates generated by the Certificate
Authority (CA) when clients request certificates.
To create a new certificate template
1. On the server hosting your Enterprise CA, click Start, select Administrative Tools, and click Certification
Authority.
2. In the console tree, expand the CA root node, select Certificate Templates, and click Manage.
3. In the Certificate Templates console select the template that you would like to enable for auto-enrollment, or
create a new template.
14 | Quest One Certificate Autoenrollment Administrator's Guide | Introducing Quest One Certificate Autoenrollment
4. Double-click the template to open its properties and select the Security tab.
5. Add the users and machines that you want to automatically enroll for the certificate and select the Autoenroll
permission option.
6. Click Apply
vascert -b list command should return something like the below:
Policy Templates:
Computer (Machine) [Enroll]
Workstation Authentication (Machine) [AutoEnroll,Enroll]