Set Up Automatic Certificate Enrollment


In our last post Setup CA Server we saw installation/configuration of CA server. In this post we will see how to automate certificate enrollment process.

For fewer number of components you can generate and sign certificates manually and then replace it one by one. in a small environment. But if you have many servers running in lab or say you are using CA in production where you have 100’s of servers, then replacing the certs manually is a time consuming and very tedious job.

We can automate the automate the certs enrollment via Active Directory to save time. Using Active Directory domain with an Enterprise CA; we can deploy certificates on clients that are part of domain automatically using a process known as autoenrollment. This saves a lot of time and reduces the amount of administrative overhead required to deploy certificates on to client systems. For this to work, we need GPO linked to our domain or an OU configured with the autoenroll policy.

Prerequisites:

1: Active Directory installed and configured.

2: Enterprise Root CA installed/configured.

3: Client system joined to AD domain

Let see how to automate the cert enrolment process.

Log in to one of domain controllers and open the Group Policy Management console.

gp-1

If you want the policy to apply to all clients in your domain, create and link the GPO to the root of the domain.

To create the GPO, right-click the root of the domain or the OU and choose Create a GPO in this domain, and Link it here.

gp-2

Provide a name for the GPO and click OK.

gp-3.PNG

Right click on newly created GPO and edit it.

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

Here you will see Certificates Services Client – Autoenrollment policy.

gp-4

Select Enabled on the Configuration Model box, then check the boxes Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Hit OK after making the changes.

 

Next is to tell the clients what type of certificate they can request and this can be done by creating a Certificate Request Setting.

To do so expand the Public Keys Policies folder, right-click Automatic Certificate Request Settings and choose New > Automatic Certificate Request.

gp-7

Hit Next on the Welcome screen of the wizard.

gp-8

Select computer from the Certificates Templates page and hit next. Click finish to complete the wizard.

Log in to any of you client computer which is part of your AD domain and open the certificate store from Start > Run > mmc. Once the console opens, from the File menu choose Add/Remove Snap-in.

gp-11

Select Certificates from left side of window and click on Add >

gp-12

Choose Computer account > Local computer.

 

At this moment there are no certificates in the Personal folder. AD will take some time to distribute the certs on client system. Generally group policy will take 90 to 120 minutes for enforce the policy on all client systems.

gp-15

To view the certificate in real time do a gpupdate/force on the client computer.  The client system will immediately update the group policy and you will see a cert under personal folder.

gp-16

You can see in below screenshot that this cert is distributed by my CA server under Issued By column.

gp-17

Double click on the cert to view its properties.

gp-18

In our Next post we will see how to create certificate templates for VMware products.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in SSL Certficates. Bookmark the permalink.

3 Responses to Set Up Automatic Certificate Enrollment

  1. Pingback: Replacing Esxi 6 SSL Certificates | Virtual Reality

  2. Pingback: Replacing vSphere 6 Solution user certificates with CA signed certificates | Virtual Reality

  3. Pingback: Replacing vSphere 6 SSL Certificates | Virtual Reality

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s