Configuring Certificate Services Client - Auto-Enrollment
If you are using Group Policy, you must enable Certificate Autoenrollment in Group Policy otherwise, Group Policy may disable Certificate Autoenrollment. If you are not using Group Policy, Certificate Autoenrollment is enabled on each host by default.
To enable Certificate Autoenrollment using Group Policy
- On a domain controller running Windows Server 2008 R2 or Windows Server 2008, open the Start menu and navigate to Administrative Tools | Group Policy Management.
- In the console tree, double-click Group Policy Objects in the forest and domain containing the Group Policy Object (GPO) that you want to edit.
- Right-click the GPO, and click Edit.
- In the Group Policy Object Editor, navigate to User Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
- Double-click Certificate Services Client - Auto-Enrollment.
- Next to Configuration Model, select Enabled from the drop-down list to enable autoenrollment.
- Click OK to accept your changes.
- In the Group Policy Object Editor, navigate to Computer Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
- Repeat steps 5-7 for machine configuration.
Configuring Certificate Templates for Auto-enrollment
Certificate enrollment is based on templates which define the properties of certificates generated by the Certificate Authority (CA) when clients request certificates.
To create a new certificate template
- On the server hosting your Enterprise CA, click Start, select Administrative Tools, and click Certification Authority.
- In the console tree, expand the CA root node, select Certificate Templates, and click Manage.
- In the Certificate Templates console, select the template that you would like to enable for autoenrollment, or create a new template.
- Double-click the template to open its properties and select the Security tab.
- Add the users and machines that you want to automatically enroll for the certificate and select the Autoenroll permission option.
- Click Apply.
Using Certificate Autoenrollment
Certificate Autoenrollment is an automatic process which runs as-needed on client systems according to Group Policy or according to manual configuration if you are not using Group Policy. Certificate Autoenrollment typically requires no user interaction. After Certificate Autoenrollment is complete, certificates appear in the user's keychain for user-based enrollment or in the system keychain for machine-based enrollment.
Certificate Autoenrollment runs when:
- a user logs in
- Group Policy machine processing occurs (at machine startup and periodically thereafter)
- vascert trigger runs manually (for machine-based enrollment)
If Group Policy is in use and a Certificate Services Client - Auto-Enrollment Group Policy indicates that Certificate Autoenrollment should occur, then the Certificate Autoenrollment client runs. The Certificate Autoenrollment client then downloads and evaluates Certificate Autoenrollment policy and uses this information to determine whether any certificates should be enrolled.
The following sections explain how to manually configure Certificate Autoenrollment if you are not using Group Policy. In most cases you will use the /opt/quest/bin/vascert command, the Certificate Autoenrollment processor for Unix and Mac clients.
Configuring Certificate Autoenrollment manually
Once Certificate Autoenrollment is installed, you must configure your machine to use it. If you are using One Identity Authentication Services with Group Policy, then skip the manual configuration described in this section as Group Policy performs these tasks automatically.
NOTE: Mac OS X/macOS: Group Policy functionality is not available when used with the Apple Directory Services plug-in. When Group Policy is not available, you must manually configure certificate enrollment policy servers and schedule machine certificate enrollment to run on an interval if desired.
Configure a machine for Certificate Autoenrollment
Configure a user for Certificate Autoenrollment
Trigger machine-based Certificate Autoenrollment