I have been tasked to create a Windows Server 2012 Certificate Authority (CA) on our domain and use it to create a Personal Certificate to our users. The purpose of the certificate is to be able to sign PDF files
I have created the CA, and created a new template called "PDF Signing" with all the options i need. Now the only thing that remains is to actually create the certificate to our users.
So far i have seen 3 methods to do this:
- Run certmgr, right click on Personal->Certificates and request a certificate. Follow the wizard and choose the "PDF Signing" template. I don't know if this method requires the user to be administrators.
- Install the web enrollment role feature and point the users to the website. Ironically, i find that the UI is more complex than the one in certmgr
- Command line version (certreq)
Is there a way to automate this process? The command line version requires an .ini file and to supply the password, which complicates automation.
Am i stuck explaining the users how to use certmgr? Our users don't have any kind of privileges, not even local administrator. Or is there another method i have not seen?
Best Answer
This feature is called Certificate Autoenrollment: Configure Certificate Autoenrollment
just to note: do not use web enrollment, it is way outdated and have very and very limited functionality.
Edit: Here is how autoenrollment works.
Although, the logic is more complex, this information is enough to you to understand how templates are selected, in other words, through permissions and certificate template availability at CA server.