Enable Auto Enrollment to Avoid Expiring Certificates

Enable Auto Enrollment to Avoid Expiring Certificates

Its common that sometimes few admins miss the renewal of some key certificates in their Microsoft internal PKI (Public Key Infrastructure), this is due to the fact that its a bit of manual task and you need to set manually some Outlook reminders (My favorite method) or run schedules tasks to remind you before the Certificate expiration date.


However if you a user that logs frequently on this CA (Certificate Authority) server we can enable Auto Enrollment for this user. After configuring it, we don’t need to worry about the expiring certificates as long as the specific user still logs onto the CA.


To Enable Auto Enrollment you need to do the following:


  1. Right click on the Certificate Template where you need to enable the Auto Enrollment feature
  2. On the Security Tab (Check below image), add a specific user or grant an existing user the Auto Enroll permission (In my case i picked a normal low privileged service account that connects periodically on the server at least each month for maintenance and installing latest windows updates).                                                                                                                                                                                                                                                                        

                                                                                                                                                             
  3. Publish the Template and issue the needed certificate.
  4. Open the Group Policy Management (On your Domain Controller) and either create a new Group policy or simply edit the Default Domain Policy
  5. Navigate to User Configuration - Policies - Windows Settings - Security Settings - Public Key Policy and enable Autoenrollment as shown below. 


This user with the Autoenroll feature enabled when logged in on the CA server will get notified and the certificate will get enrolled and the Certificate won't get expired.

For More details and PKI articles please check my blog http://itcalls.blogspot.com/
http://itcalls.blogspot.com/2013/08/enable-auto-enrollment-to-avoid.html

Leave a Comment
  • Please add 3 and 1 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (2 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Balaji M Kundalam edited Revision 1. Comment: Typography - minor edit

  • Maheshkumar S Tiwari edited Revision 2. Comment: Added Tag

Page 1 of 1 (2 items)