«

»

Aug 06 2014

Set Up Automatic Certificate Enrollment (Autoenroll)

Managing certificates usually does not need to much intervention. Issuing and enrolling for certificates, again is a piece-of-cake… in a small environment. But if you are running more than let’s say 50 workstations and servers enrolling for certificates is a week job, if not more.To ease the work; actually to automate this you can use Active Directory since you already have the tool in your hands. This is one of the advantages of an Active Directory domain with an Enterprise CA; you can deploy certificates automatically using a process known as autoenrollment. This greatly reduces the amount of administrative overhead required to deploy certificates to your clients; and all you need for this is a GPO linked to your domain or an OU configured with the autoenroll policy.

Before we start I presume you already have your Active Directory Certificate Service installed and at least some clients joined to the domain to be able to test this. If you don’t have enough hardware at your disposal, VMware Workstation is great way to do test labs.

In the first part of the article I’m going to talk about Computer Certificates Auto-Enrollment and in the second part about User Certificates Auto-Enrollment.

Computer Certificates Auto-Enrollment

Now log in to one of your domain controllers and open the Group Policy Management console.

Certificates Autoenrollment in 2012Here you have to decide where the GPO should be linked. If you want only a bunch of clients to be configured for autoenrollment, create and link the GPO to the OU where those clients sit. If however, you want the policy to apply to all clients in your domain, create and link the GPO to the root of the domain. To create the GPO, right-click the root of the domain or the OU and choose Create a GPO in this domain, and Link it here…. Give it a name and click OK.

Certificates Autoenrollment in 2012     Certificates Autoenrollment in 2012

On the newly created GPO do a right-click and choose Edit.

Certificates Autoenrollment in 2012

Once the Group Policy Management Editor opens, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Here you will see Certificates Services Client – Auto-Enrollment policy.Certificates Autoenrollment in 2012

Open its properties and choose Enabled on the Configuration Model box, then check the boxes Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Click OK when you are done. As you can see this policy will automatically renew any expired certificates and also cleans up the certificates store of any certificates that expired.

Certificates Autoenrollment in 2012     Certificates Autoenrollment in 2012

Only configuring this will not get the job done. You have to tell the clients what type of certificate they can request and this can be done by creating a Certificate Request Setting. To set it up expand the Public Keys Policies folder, right-click Automatic Certificate Request Settings and choose New > Automatic Certificate Request.

Certificates Autoenrollment in 2012

Click Next to skip the Welcome screen of the wizard.

Certificates Autoenrollment in 2012

On the Certificates Templates page you can see all the templates that you can use to issue certificates from. The only one we are interested right now is the Computer certificate. Select it and click Next and at the end click Finish to close the wizard.

Certificates Autoenrollment in 2012    Certificates Autoenrollment in 2012

Now you have a Certificate Request Settings created. Let’s tests it and see if it works.

Certificates Autoenrollment in 2012

Log in to one of you clients and open the certificate store from Start > Run > mmc. Once the console opens, from the File menu choose Add/Remove Snap-in.

Certificates Autoenrollment in 2012

In the Add/Remove Snap-ins window select Certificates and click the Add button.

Certificates Autoenrollment in 2012

Choose Computer account > Local computer.

Certificates Autoenrollment in 2012     Certificates Autoenrollment in 2012

If you look in the Personal folder you can see that there is no certificate. Too see the magic happen in real time do a  gpupdate /force then refresh the console. After this a computer certificate “magically” appears.

Certificates Autoenrollment in 2012     Certificates Autoenrollment in 2012



Oh yeahh, and the certificate also has a private key, which is what we wanted.

Certificates Autoenrollment in 2012

Since this is group policy, you will have to wait between 90 and 120 minutes for the policy to get in effect. Then all clients that are affected by this GPO will auto-enroll for a computer certificate from your internal CA.

 

User certificates Auto-Enrollment

Now I know that most of you also need a way to auto-enroll for user certificates, so these users can encrypt their personal data or secure their emails. For this, a few things need to be modified or added to your Enterprise Internal CA and users accounts. Fist of all the users need to have an email address present in the E-mail field of their AD account

Certificates Autoenrollment in 2012

then, a new certificate template needs to be created. Log in to one of your domain controllers and open the Certification Authority console. Right-click the Certificate Templates folder and choose Manage.Certificates Autoenrollment in 2012

Search for the User template, right-click it and choose duplicate.

Certificates Autoenrollment in 2012

On the General tab type a name for the new template then go to the Security tab. Here select Domain Users from the ACL (Access Control List) and in the Permissions section check the Enroll (should be already checked, but just in case) and Autoenroll box. Click OK.

Certificates Autoenrollment in 2012     Certificates Autoenrollment in 2012

Back on the Certification Authority console, right-click the Certificate Templates folder one more time and choose New > Certificate Template to Issue. From the list, search for the new template, select it and click OK.

Certificates Autoenrollment in 2012

Now that the template is ready we need to set up the GPO that request certificates on behalf of the user. Still on this domain controller, open the Group Policy Management console and create a new GPO. Again this can be created/linked to the root of the domain or an OU. If you link it to an OU make sure is the one where users are present not computers.

Certificates Autoenrollment in 2012     Certificates Autoenrollment in 2012

Once you create the GPO, right-click it and choose Edit. In the Group Policy Management Editor console expand User Configuration > Policies > Windows Settings > Security Settings and click on the Public Key Policies folder. Here we have a view almost exactly we had when we configured the computer certificate auto-enrollment. The policy that we are interested in is Certificate Services Client – Auto-Enrollment, so double click it to open its properties; or right-click > Properties.

Certificates Autoenrollment in 2012

From the Configuration Model drop-down box choose Enabled then check the Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates boxes. Click OK when you’re done.

Certificates Autoenrollment in 2012     Certificates Autoenrollment in 2012

All you have to do now is wait for the users to get the new policy, and that can take between 90 and 120 minutes. If you don’t want to wait and force this process to see if it works do a gpupdate /force on the client computer. Then if you open the user certificates store you should see the certificate issued for the user that you are logged in with.

Certificates Autoenrollment in 2012

Taking a look at the certificate itself it has a private key, it was issued using the template we created and it has all the key usage necessary for the user to encrypt data and email.

Certificates Autoenrollment in 2012     Certificates Autoenrollment in 2012

As you can see, this is a great feature that comes with AD and it only takes a couple of minutes to set it up, but gets you rid of days of working.

Want content like this delivered right to your

email inbox?


5 comments

Skip to comment form

  1. Manfred

    Hi and thanks for this tutorial. I want to add a template to the list of available templates (Workstation Authentication Certificate Template). Do you know the way to do that?

    1. Adrian Costea

      Hi,
      You will have to clone an existing template, modify it the way you want (expiration period, security etc) then give it a name and you should be good-to-go.

  2. Mike

    Is there a way to configure automatic enrollment for remote desktop users?

  3. Jayesh

    Hello , Excellent Article!.
    One question I have. You explained the way how a specific computer template is selected for putting in Group policy edit.
    Like wise can you explain how to how to select a specfic user template to target in the GP edit?

    1. Adrian Costea

      Hi,
      The information is already in the article. What are you exactly trying to do so I can help you with ?

Leave a Reply

Your email address will not be published. Required fields are marked *


*

css.php