Right now, I'm doing the following to request a cert from a CEP server:
- Open gpedit.msc
- Under Computer Configuration > Windows Settings > Security Settings > Public Key Policies, double click "Certificate Services Client – Certificate Enrollment Policy"
- Enable
- Enter the CEP URI
- Switch to Username/Password authentication
- Validate (Provide Creds)
- Open MMC, and import Certificates snap in
- Go to Certificates > Personal
- Right-Click > Request New Certificate
- Enter "more information" (CN, DNS Name, etc.)
- Provide Creds
After this I have a cert from the CEP; however, this is a painful process to do manually. Is there any way to automate this in Server 2008 (and 2012)? All information that I can find about this tells how to install the CEP services to make a server an enrollment policy server (nothing about actually requesting a new cert, or enabling it on the client side). Is it possible to automate this?
It looks like this process adds a lot of data under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography. Can I manually add this (and spoof a GUID/ServiceID)?
Best Answer
I presume your certificate requests are made using a template. If that's the case then use the
Public Key Policies/Certificate Services Client - Auto-Enrollment SettingsGPO to enforce auto enrollment. You'll also want to ensure the template ACL hasEnrollandAutoEnrollmarked for either domain computers or domain users (or whatever acl object, depending on the intended audience) There's a user config and computer config policy to leverage depending on whether or not it's a machine cert or user cert you're trying to push. Enrollment begins as soon as when the policy is pushed (usually about 15 minutes) after the GPO is linked and enforced.