Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Certificate Autoenrollment for Windows 2003

Posted on 2014-11-06
Medium Priority
Last Modified: 2014-11-26
I would like to know if setting up Certificate Auto enrollment on a Windows 2003 domain is worth it and how to do it. The KB's I have read talk about getting a certificate for the Domain controller but the certificate I have is for our Exchange 2003 server. I have the certificate installed on the Exchange server but want to use the Auto enrollment feature so I can push out the certificates to Mobile devices when they connect to the network through Active Synch. How do I do this?
Question by:tparus
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 23

Accepted Solution

Radhakrishnan R earned 668 total points
ID: 40428106

The autoenrollment process grants certificates based on certificate templates that are supplied with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require autoenrollment. A modification is made to Group Policy to initiate the process during a Group Policy refresh or interactive logon event.

To configure Windows Server 2003 PKI Certificate Autoenrollment, please have look at the step by step procedure

Hope this helps
LVL 64

Assisted Solution

btan earned 668 total points
ID: 40428139
to deploy cert based into mobile device such as iOS and Android, the link below is good where Part 1 shows configuring Exchange to allow certificate-based authentication for ActiveSync devices and Part 2 shows configure mobile devices for certificate based authentication, whereby we need to enrol and issue certificates to end-users via the admin workstation to deploy to device. That is the minimal for a start to ensure all the cert link up is alright. Note the use of other third-party ActiveSync client for Android instead of native Mobile OS activesync client (which iOS is using).

For cert autoenrollment, I am rather skeptical about that being totally transparent as the delivery of the cert will not be transparent though new cert can be issued. The transfer via machine, storage card etc may still be manual and not sure if EAS (see link sharing the "means") can do that tranparently as expected. Maybe other MDM solution ... did not explore that though.. The normal domain based auto-enrollment setup (to state explicitly in the default enrollment policy) can still be followed whereby the AD will be doing for the user account (used by and deployed into the user's Mobile device) residing as part of the domain in AD ...
LVL 35

Assisted Solution

Bembi earned 664 total points
ID: 40429716
OK, a comment as I use it for many years.....
Autoenrollment is useful for standard certificates i.e. for user certificates and computer certificates. Using GPOs and a AD structure gives a good control over the enrollment, so that only devices, which are in the corrects AD OU gets this certificates.
I created Win2003 templates for all standard certificates (as they give more control over the features than the default templates and created additional templates for webserver and other services.

Autoenrollment usually doesn't really work for webserver certs, as - i.e. for Exchange or Lync - you need mostly a SAN cert (a cert with several alternative subject names) to cover all needs for exchange. For such purposes, I create a new 2003 WebServer template where I can add all properties by hand. Analog for other types of certs, which need some special additional information.

While the standard user / computer certs can be distributes easily with the default AD information and autoenrollment, I create all other certs by hand, but using templates. The advantage of the templates is, that a cert, which was created by a template can automatically be renewed. This way you avoid downtime of services due to cert expiration.

That means in fact, that my clients gets standard certificates as far as they moved into the according AD OU, and all services (webservers, exchange, lync etc.) get a (mostly SAN-) cert based on a template, which renews themselves automatically as long as the CA exists. Even renewing the CA cert updates automatically the issued certs.

For the enrollment of mobile devices, you need mostly additional software or a manual installation, dependent on the type of the device (iOS, Android or Windows).
LVL 64

Expert Comment

ID: 40429722
better not for autoenrollment esp for mobile user since device of such are really mobie and tendency of loss is pretty high, connectivity to backend MDM is not guarantee. If the device are enterprise managed ones, it better to check balance not to overdrive the mobility even using just leveraging EAS...very much dependent on the MDM client running..

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question