Certificate Autoenrollment for Windows 2003

Posted on 2014-11-06
Last Modified: 2014-11-26
I would like to know if setting up Certificate Auto enrollment on a Windows 2003 domain is worth it and how to do it. The KB's I have read talk about getting a certificate for the Domain controller but the certificate I have is for our Exchange 2003 server. I have the certificate installed on the Exchange server but want to use the Auto enrollment feature so I can push out the certificates to Mobile devices when they connect to the network through Active Synch. How do I do this?
Question by:tparus
  • 2
LVL 20

Accepted Solution

Radhakrishnan Rajayyan earned 167 total points
Comment Utility

The autoenrollment process grants certificates based on certificate templates that are supplied with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require autoenrollment. A modification is made to Group Policy to initiate the process during a Group Policy refresh or interactive logon event.

To configure Windows Server 2003 PKI Certificate Autoenrollment, please have look at the step by step procedure

Hope this helps
LVL 61

Assisted Solution

btan earned 167 total points
Comment Utility
to deploy cert based into mobile device such as iOS and Android, the link below is good where Part 1 shows configuring Exchange to allow certificate-based authentication for ActiveSync devices and Part 2 shows configure mobile devices for certificate based authentication, whereby we need to enrol and issue certificates to end-users via the admin workstation to deploy to device. That is the minimal for a start to ensure all the cert link up is alright. Note the use of other third-party ActiveSync client for Android instead of native Mobile OS activesync client (which iOS is using).

For cert autoenrollment, I am rather skeptical about that being totally transparent as the delivery of the cert will not be transparent though new cert can be issued. The transfer via machine, storage card etc may still be manual and not sure if EAS (see link sharing the "means") can do that tranparently as expected. Maybe other MDM solution ... did not explore that though.. The normal domain based auto-enrollment setup (to state explicitly in the default enrollment policy) can still be followed whereby the AD will be doing for the user account (used by and deployed into the user's Mobile device) residing as part of the domain in AD ...
LVL 35

Assisted Solution

Bembi earned 166 total points
Comment Utility
OK, a comment as I use it for many years.....
Autoenrollment is useful for standard certificates i.e. for user certificates and computer certificates. Using GPOs and a AD structure gives a good control over the enrollment, so that only devices, which are in the corrects AD OU gets this certificates.
I created Win2003 templates for all standard certificates (as they give more control over the features than the default templates and created additional templates for webserver and other services.

Autoenrollment usually doesn't really work for webserver certs, as - i.e. for Exchange or Lync - you need mostly a SAN cert (a cert with several alternative subject names) to cover all needs for exchange. For such purposes, I create a new 2003 WebServer template where I can add all properties by hand. Analog for other types of certs, which need some special additional information.

While the standard user / computer certs can be distributes easily with the default AD information and autoenrollment, I create all other certs by hand, but using templates. The advantage of the templates is, that a cert, which was created by a template can automatically be renewed. This way you avoid downtime of services due to cert expiration.

That means in fact, that my clients gets standard certificates as far as they moved into the according AD OU, and all services (webservers, exchange, lync etc.) get a (mostly SAN-) cert based on a template, which renews themselves automatically as long as the CA exists. Even renewing the CA cert updates automatically the issued certs.

For the enrollment of mobile devices, you need mostly additional software or a manual installation, dependent on the type of the device (iOS, Android or Windows).
LVL 61

Expert Comment

Comment Utility
better not for autoenrollment esp for mobile user since device of such are really mobie and tendency of loss is pretty high, connectivity to backend MDM is not guarantee. If the device are enterprise managed ones, it better to check balance not to overdrive the mobility even using just leveraging EAS...very much dependent on the MDM client running..

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now