Certificate Autoenrollment for Windows 2003

I would like to know if setting up Certificate Auto enrollment on a Windows 2003 domain is worth it and how to do it. The KB's I have read talk about getting a certificate for the Domain controller but the certificate I have is for our Exchange 2003 server. I have the certificate installed on the Exchange server but want to use the Auto enrollment feature so I can push out the certificates to Mobile devices when they connect to the network through Active Synch. How do I do this?
TimSr. System AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:

The autoenrollment process grants certificates based on certificate templates that are supplied with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require autoenrollment. A modification is made to Group Policy to initiate the process during a Group Policy refresh or interactive logon event.

To configure Windows Server 2003 PKI Certificate Autoenrollment, please have look at the step by step procedure

Hope this helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
to deploy cert based into mobile device such as iOS and Android, the link below is good where Part 1 shows configuring Exchange to allow certificate-based authentication for ActiveSync devices and Part 2 shows configure mobile devices for certificate based authentication, whereby we need to enrol and issue certificates to end-users via the admin workstation to deploy to device. That is the minimal for a start to ensure all the cert link up is alright. Note the use of other third-party ActiveSync client for Android instead of native Mobile OS activesync client (which iOS is using).

For cert autoenrollment, I am rather skeptical about that being totally transparent as the delivery of the cert will not be transparent though new cert can be issued. The transfer via machine, storage card etc may still be manual and not sure if EAS (see link sharing the "means") can do that tranparently as expected. Maybe other MDM solution ... did not explore that though.. The normal domain based auto-enrollment setup (to state explicitly in the default enrollment policy) can still be followed whereby the AD will be doing for the user account (used by and deployed into the user's Mobile device) residing as part of the domain in AD ...
OK, a comment as I use it for many years.....
Autoenrollment is useful for standard certificates i.e. for user certificates and computer certificates. Using GPOs and a AD structure gives a good control over the enrollment, so that only devices, which are in the corrects AD OU gets this certificates.
I created Win2003 templates for all standard certificates (as they give more control over the features than the default templates and created additional templates for webserver and other services.

Autoenrollment usually doesn't really work for webserver certs, as - i.e. for Exchange or Lync - you need mostly a SAN cert (a cert with several alternative subject names) to cover all needs for exchange. For such purposes, I create a new 2003 WebServer template where I can add all properties by hand. Analog for other types of certs, which need some special additional information.

While the standard user / computer certs can be distributes easily with the default AD information and autoenrollment, I create all other certs by hand, but using templates. The advantage of the templates is, that a cert, which was created by a template can automatically be renewed. This way you avoid downtime of services due to cert expiration.

That means in fact, that my clients gets standard certificates as far as they moved into the according AD OU, and all services (webservers, exchange, lync etc.) get a (mostly SAN-) cert based on a template, which renews themselves automatically as long as the CA exists. Even renewing the CA cert updates automatically the issued certs.

For the enrollment of mobile devices, you need mostly additional software or a manual installation, dependent on the type of the device (iOS, Android or Windows).
btanExec ConsultantCommented:
better not for autoenrollment esp for mobile user since device of such are really mobie and tendency of loss is pretty high, connectivity to backend MDM is not guarantee. If the device are enterprise managed ones, it better to check balance not to overdrive the mobility even using just leveraging EAS...very much dependent on the MDM client running..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.