- Block or force upgrade to Windows 11 with Group Policy - Tue, Oct 26 2021
- Compress SMB data in Windows 11 and Server 2022 - Mon, Oct 4 2021
- Install Windows 11 in a virtual machine - Tue, Sep 28 2021
Manual management of certificates can require some effort, especially in larger environments. In addition, there is always the risk that their expiration date is overlooked and services are then temporarily no longer accessible to users. The so-called autoenrollment provides a remedy here.
This procedure works basically the same way for user and computer certificates. With the former, care should be taken to ensure that the automatic issuing does not lead to uncontrolled growth of certificates.
For autoenrollment, the following components and actions are required:
- Certificate templates must be configured for automatic certificate issuance
- The relevant templates must be activated
- A GPO that configures clients to request certificates independently must be set
Furthermore, the clients must be able to connect to the CA.
Creating a certificate template ^
Since we want to issue SSL certificates automatically in our example, it seems obvious to use the existing web server template for this. However, this is still based on schema version 1.0 and is therefore not suitable for automatic enrollment.
Therefore, we create a copy of the Webserver template for our purpose and configure it according to our requirements. To do this, we open the certificate template console certtmpl.msc and execute the Duplicate template command from the context menu of the Webserver.
The snap-in then shows the Compatibility tab of the new template. Depending on your environment, you can specify the OS versions of the certification authority and the certificate recipients. Newer versions of Windows often include additional options for issuing certificates.
Then switch to the General tab and assign a name to the new template. Here, you can also change the validity period. The option Publish certificate in Active Directory remains deactivated for SSL certificates; it is intended for user certificates that are used to encrypt email and the file system.
The settings under Request Handling can be left as they are in the Webserver template. It is not usually necessary to export the private key, because the certificate is only used on the computer from which it was requested.
On the Subject Name tab, make sure that the requesting computer retrieves its name from Active Directory. The default format is the Common Name, but you can also select either the FQDN or the DNS name. The latter can also be used for the Alternate Subject Name.
If you only want to renew existing certificates, then the option Supply in the request comes in handy. If you tick the checkbox for Use subject information from existing certificates for autorenrollment renewal requests, then the Subject Name and Alternate Subject Name are taken from a certificate based on the same template.
Finally, the settings under Security are of particular importance. There, you have to grant the requesting party not only the Permission to Read and Enroll, but also to Autoenroll.
In the case of SSL certificates, these are computer accounts. They should be included in a security group, which will then be assigned this right.
This completes the configuration of the new template, and you can now save it.
Activating the template ^
To make the newly created template ready for use, you have to activate it for the certification authority. To do so, open certsrv.msc, switch to the Certificate Template section in the navigation pane, and select New > Certificate Template to issue from the context menu.
In the following dialog box, select the newly created template and click OK.
Defining Group Policy ^
Finally, we need a GPO that instructs the computers in question to request certificates automatically. To do this, link a new group policy object to the desired OUs or domains and open it in the GPO editor.
There, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the setting Certificate Services Client - Auto-Enrollment.
The other options are displayed after you picked a setting under Configuration Model. Here, select both checkboxes and define the remaining validity period from which expiry warnings for a certificate appear. Usually, you can keep the default value of 10 percent.
As soon as the GPO is applied to the target computers (e.g., by executing gpupdate), a scheduled task checks whether a certificate needs to be requested or renewed. The process is triggered when the computer is restarted. Alternatively, you can kick off the process explicitly with:
Assigning a certificate to services ^
If a certificate has just been issued or renewed, it must still be assigned to the relevant services. This may have to be done manually.
Subscribe to 4sysops newsletter!
Since version 8.5, IIS has supported automatic Certificate Rebind when the certificate is renewed. The corresponding setting can be found under Server Certificates > Actions and is called Enable Automatic Rebind of Renewed Certificate.