Active Directory Certificate Services - MCTS Guide to Microsoft Windows Server 2008 Active Directory Configuration

Information Technology Reference

In-Depth Information

Figure 11-9

Options for the Auto-Enrollment policy

• Update certificates that use certificate templates —When this check box is selected, certifi-

cates created with a certificate template can be updated through autoenrollment if the tem-

plate changes.

11

Autoenrollment is configured for certificate templates in the Request Handling, Issuance

Requirements, and Security tabs of a template's Properties dialog box. In the Request Handling

tab, you can configure the amount of user interaction required during autoenrollment with the

following options:

• Enroll subject without requiring any user input —This option is required for autoenroll-

ment of computers and services. You can also select it if you want user autoenrollment to

occur in the background without user interaction.

• Prompt the user during enrollment —Users must respond to prompts during autoenrollment.

• Prompt the user during enrollment and require user input when the private key is used —

Users must enter a password during autoenrollment and each time their private keys are

used. This option is the most secure but least user friendly.

The Issuance Requirements tab has options for specifying enrollment requirements for cer-

tificates issued from the template:

• CA certificate manage approval —If selected, a CA manager must approve the certificate

request before it's issued.

• This number of authorized signatures —If enabled and the number of signatures is more

than zero, certificate enrollment requests must be signed with a digital signature. If more

than one signature is required, autoenrollment is disabled.

• Require the following for reenrollment —Two options are available. If “Same criteria as for

enrollment” is selected, users must use the same process for renewal that's required for ini-

tial enrollment. If “Valid existing certificate” is selected, renewal is automatic as long as

the current certificate is valid.

The Security tab of a certificate template is similar to the Security tab of most Active

Directory objects. By default, Domain Users group members have the Enroll permission. The

Autoenroll permission must be set for users in the domain to autoenroll in the certificate.

Search WWH ::

Custom Search

Home