Information Technology Reference
In-Depth Information
•
Validity period
—The length of time the certificate is valid if it's not renewed. If the period
elapses, the certificate expires; it's invalid and can no longer be renewed. You can specify
the validity period in units of years, months, weeks, or days.
•
Renewal period
—The time window before a certificate's validity period expires in which
the certificate can be renewed. For example, if a certificate is issued January 1, 2009 and
has a validity period of 1 year and a renewal period of 1 month, the certificate can be
renewed any time between December 1, 2009 and January 1, 2010. After a certificate is
renewed, it's valid for another length of time specified by the validity period.
•
Publish certificate in Active Directory
—When this check box is selected, information
about the template is available throughout the network.
•
Do not automatically reenroll if a duplicate certificate exists in Active Directory
—When
this check box is selected, if a Windows XP or later computer makes an enrollment
request, a new enrollment request isn't made if a duplicate certificate already exists in
Active Directory. Certificates can be renewed, but duplicate certificates aren't issued.
•
For automatic renewal of smart card certificates, use the existing key if a new key cannot
be created
—When this check box is selected, this option helps prevent smart card renewal
failures if a smart card is out of storage space for a new key.
Certificate enrollment occurs when a user or device requests a certificate, and the certificate is
granted. Enrollment can occur with several methods:
• Autoenrollment
• Certificates MMC
• Web enrollment
• Network Device Enrollment Service (NDES)
• Smart card enrollment
Configuring Certificate Autoenrollment
When autoenrollment is configured, users
and devices don't have to make explicit certificate requests to be issued certificates. Autoenrollment
options are configured through group policies and the certificate template. In addition, the CA
must be configured to allow autoenrollment, which is an option only on enterprise CAs.
Certificate autoenrollment is commonly used for EFS. A user must have a certificate to
encrypt and decrypt a file with EFS. If no certificate server is operating on the network, Windows
creates the certificate automatically but only on the computer where the encrypted file is created.
Without a central store of certificates, certificates created this way could be deleted or lost too
easily, resulting in loss of access to the encrypted file. In addition, the user would have to be
logged on to the computer where the encrypted file is stored to access it; network access of the
encrypted file wouldn't be possible.
By setting up autoenrollment for EFS certificates, a user's EFS certificate is created the first time
he or she logs on to the domain after autoenrollment is configured. Furthermore, the certificate is
available anywhere in the domain and is centrally stored, which makes backup and restore of the
certificate easier. Because autoenrollment is configured through group policies, a user must first be
authenticated by a domain controller before a certificate is issued to make the process secure.
Autoenrollment is enabled in the Computer Configuration or User Configuration node of
the Group Policy Management Console. The Certificate Services Client—Auto-Enrollment
policy, which has the options shown in Figure 11-9, controls autoenrollment settings. The fol-
lowing list describes these options:
•
Configuration Model
—Options are Enabled, Disabled, and Not configured. If Enabled is
selected, the Active Directory objects affected by the policy can autoenroll for certificates.
•
Renew expired certificates, update pending certificates, and remove revoked certificates
—
When this check box is selected, autoenrollment is extended so that certificates are
renewed, updated, and removed (for revoked certificates) automatically.
Search WWH ::
Custom Search