Enable Auto Enrollment to Avoid Expiring Certificates

Posted by Ahmed Nabil In | 2 comments»
Its common that sometimes few admins miss the renewal of some key certificates in their Microsoft internal PKI (Public Key Infrastructure), this is due to the fact that its a bit of manual task and you need to set manually some Outlook reminders (My favorite method) or run schedules tasks to remind you before the Certificate expiration date.

However if you a user that logs frequently on this CA (Certificate Authority) server we can enable Auto Enrollment for this user. After configuring it, we don’t need to worry about the expiring certificates as long as the specific user still logs onto the CA.

To Enable Auto Enrollment you need to do the following:


  1. Right click on the Certificate Template where you need to enable the Auto Enrollment feature
  2. On the Security Tab (Check below image), add a specific user or grant an existing user the Auto Enroll permission (In my case i picked a normal low privileged service account that connects periodically on the server at least each month for maintenance and installing latest windows updates.)                                                                                                                                                                                                                                                                      
                                                                                                                                                             
  3. Publish the Template and issue the needed certificate.
  4. Open the Group Policy Management (On your Domain Controller) and either create a new Group policy or simply edit the Default Domain Policy
  5. Navigate to User Configuration - Policies - Windows Settings - Security Settings - Public Key Policy and enable Autoenrollment as shown below. 

This user with the Autoenroll feature enabled when logged in on the CA server will get notified and the certificate will get enrolled and the Certificate won't get expired.




2 Comments
Comments

2 comments:

Paul Leadon Says:

Thanks for posting a good blog for ! Auto Enrollment Auto Enrollment .

Blogger Says:

If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you gotta watch this video
right away...

(VIDEO) Text Your Ex Back?

Post a Comment