Set Up Automatic Certificate Enrollment

In our last post Setup CA Server we saw installation/configuration of CA server. In this post we will see how to automate certificate enrollment process.

For fewer number of components you can generate and sign certificates manually and then replace it one by one. in a small environment. But if you have many servers running in lab or say you are using CA in production where you have 100’s of servers, then replacing the certs manually is a time consuming and very tedious job.

We can automate the automate the certs enrollment via Active Directory to save time. Using Active Directory domain with an Enterprise CA; we can deploy certificates on clients that are part of domain automatically using a process known as autoenrollment. This saves a lot of time and reduces the amount of administrative overhead required to deploy certificates on to client systems. For this to work, we need GPO linked to our domain or an OU configured with the autoenroll policy.

Prerequisites:

1: Active Directory installed and configured.

2: Enterprise Root CA installed/configured.

3: Client system joined to AD domain

Let see how to automate the cert enrolment process.

Log in to one of domain controllers and open the Group Policy Management console.

If you want the policy to apply to all clients in your domain, create and link the GPO to the root of the domain.

To create the GPO, right-click the root of the domain or the OU and choose Create a GPO in this domain, and Link it here.

Provide a name for the GPO and click OK.

Right click on newly created GPO and edit it.

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

Here you will see Certificates Services Client – Autoenrollment policy.

Select Enabled on the Configuration Model box, then check the boxes Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Hit OK after making the changes.

 

Next is to tell the clients what type of certificate they can request and this can be done by creating a Certificate Request Setting.

To do so expand the Public Keys Policies folder, right-click Automatic Certificate Request Settings and choose New > Automatic Certificate Request.

Hit Next on the Welcome screen of the wizard.

Select computer from the Certificates Templates page and hit next. Click finish to complete the wizard.

Log in to any of you client computer which is part of your AD domain and open the certificate store from Start > Run > mmc. Once the console opens, from the File menu choose Add/Remove Snap-in.

Select Certificates from left side of window and click on Add >

Choose Computer account > Local computer.

 

At this moment there are no certificates in the Personal folder. AD will take some time to distribute the certs on client system. Generally group policy will take 90 to 120 minutes for enforce the policy on all client systems.

To view the certificate in real time do a gpupdate/force on the client computer.  The client system will immediately update the group policy and you will see a cert under personal folder.

You can see in below screenshot that this cert is distributed by my CA server under Issued By column.

Double click on the cert to view its properties.

In our Next post we will see how to create certificate templates for VMware products.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable