Certificate enrollment is based on templates which define the properties of certificates generated by the Certificate Authority (CA) when clients request certificates.
To create a new certificate template
Certificate Autoenrollment is an automatic process that runs as-needed on client systems according to Group Policy or according to manual configuration if you are not using Group Policy. Certificate Autoenrollment typically requires no user interaction. After Certificate Autoenrollment is complete, certificates appear in the user's keychain for user-based enrollment or in the system keychain for machine-based enrollment.
Certificate Autoenrollment runs when:
If Group Policy is in use and a Certificate Services Client - Auto-Enrollment Group Policy indicates that Certificate Autoenrollment should occur, then the Certificate Autoenrollment client runs. The Certificate Autoenrollment client then downloads and evaluates Certificate Autoenrollment policy and uses this information to determine whether any certificates should be enrolled.
Each of these steps can be invoked manually for testing and troubleshooting. To start Group Policy manually, use the vgptool command. To run Certificate Autoenrollment, use the vascert command. These command are installed in /opt/quest/bin.
Once Certificate Autoenrollment is installed, you must configure your machine to use it. If you are using One Identity Safeguard Authentication Services with Group Policy, then skip the manual configuration described in this section as Group Policy performs these tasks automatically.
NOTE: Group Policy functionality is not available when used with the Apple Directory Services plug-in. When Group Policy is not available, you must manually configure certificate enrollment policy servers and schedule machine certificate enrollment to run on an interval if desired.
Configure a machine for Certificate Autoenrollment
Configure a user for Certificate Autoenrollment
Trigger machine-based Certificate Autoenrollment
Use the vascert command line utility to configure your machine for Certificate Autoenrollment. Your computer must be joined to the Active Directory domain where your certificate enrollment policy server resides.
NOTE: Unless you are using Group Policy, machine processing must be triggered manually using the vascert trigger command. You can schedule this command to run at an interval.
To configure your machine for Certificate Autoenrollment
As root (or using sudo), run the following command to configure a machine for Certificate Autoenrollment:
/opt/quest/bin/vascert server add -r <policy server URL>
Where <policy server URL> is the actual http URL for your certificate enrollment policy server.
For example: https://example.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
NOTE: You can configure more than one certificate enrollment policy server. Certificate Autoenrollment will choose the most appropriate server automatically when performing certificate enrollment.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center