Saturday, 4 March 2017

How to enable certificate autoenrollment


Welcome back! In this post, we’ll do a quick demo of how you can enable certificate autoenrollment for a computer certificate. This means that the computer (or server) will get its own certificate……eventually……and you don’t (really) need to do anything.

How to enable certificate autoenrollment

Okay, so you have to do something! The first step is to open the Certification Authority snap-in on your CA or management computer, right click on Certificate Templates and click Manage.
You should now see a list of certificate templates you can configure:
Right click the Computer certificate template and duplicate it. Call your new certificate Computer 2 and change any settings you need to change (e.g. validity period)
Click on the Security tab and grant Enroll and Autoenroll permissions for Domain Computers (or whatever group of computers you need to configure autoenrollment for)
Create a Group Policy Object which is linked to the domain and go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client - Auto-Enrollment. Select Enable and tick Renew expired certificates and tick Update certificates that use templates. Although we link the GPO to the domain, we are in fact only allowing the group with permissions on the computer certificate to actually autoenroll and get the certificate
Now, to get your clients to actually autoenroll for a certificate, you can either wait a while or restart or run force the clients to autoenroll immediately with certutil /pulse.
This creates a certificate in the Local Machine personal store:
………and it has a common name which matches the FQDN of the client ( in our case):

No comments:

Post a comment