December 3, 2024
012720_1833_HowtoConfig8.png
Today, I am going to show you how to configure Server Certificate Auto-enrollment via Group Policy, you need to have an Enterprise certification authority root server before you configure auto-enrollment, if you don't know how to install Enterprise certification authority root server, you can follow my previously post and step by step to install it.

Today, I am going to show you how to configure Server Certificate Auto-enrollment via Group Policy, you need to have an Enterprise certification authority root server before you configure auto-enrollment, if you don’t know how to install Enterprise certification authority root server, you can follow my previously post and step by step to install it.

  1. Login to Certificate Authority server.
  2. On the Server Manager page, select Tools and click Certification Authority.

    012720 1833 HowtoConfig1 - How to Configure Server Certificate Auto-enrollment

  3. On the Certificate Authority page, select your Domain and click Certificate Templates, There are some exiting templates by default, I am going to use Computer (it’s intended purpose for Client Authentication and Server Authentication) template for server certificate auto-enrollment, you also can create (duplicate) a new certificate for it.

    012720 1833 HowtoConfig2 - How to Configure Server Certificate Auto-enrollment

  4. Before we are starting to configure server certificate auto-enrollment, select Issued certificates, you will notice there is no existing certificate be issued.

    012720 1833 HowtoConfig3 - How to Configure Server Certificate Auto-enrollment

  5. Login to the Domain controller server.
  6. On the Server Manager page, select Tools, click Group Policy Management.

    012720 1833 HowtoConfig4 - How to Configure Server Certificate Auto-enrollment

  7. On the Group Policy Management page, right-click Group Policy Object and select New.

    012720 1833 HowtoConfig5 - How to Configure Server Certificate Auto-enrollment

  8. On the New GPO enter Auto Enrollment for Computer Certificate Policy as Name, click OK.

    012720 1833 HowtoConfig6 - How to Configure Server Certificate Auto-enrollment

  9. Right-click the Auto Enrollment for Computer Certificate Policy, select Edit.

    012720 1833 HowtoConfig7 - How to Configure Server Certificate Auto-enrollment

  10. On the Group Policy Management Editor page, expand Computer Configuration àPolicies àWindows Settings àSecurity Settings, select Public Key Policies and double click Certificate Services Client – Auto-Enrollment.

    012720 1833 HowtoConfig8 - How to Configure Server Certificate Auto-enrollment

  11. On the Certificate Services Client – Auto-Enrollment page, change Configuration Model form Not configured to Enable.

    012720 1833 HowtoConfig9 - How to Configure Server Certificate Auto-enrollment

  12. On the Configuration Model, select Renew expired certificate, update pending certificates, and remove revoked certificates.
  13. On the Configuration Model, select Update certificates that use certificate templates. Click OK.

    012720 1833 HowtoConfig10 - How to Configure Server Certificate Auto-enrollment

  14. On the Policy Key Policies, right-click Automatic Certificate Request Settings, select New.

    012720 1833 HowtoConfig11 - How to Configure Server Certificate Auto-enrollment

  15. On the Welcome to the Automatic Certificate Request Setup Wizard page, click Next.

    012720 1833 HowtoConfig12 - How to Configure Server Certificate Auto-enrollment

  16. On the Certificate Template page, select Computer, click Next.

    012720 1833 HowtoConfig13 - How to Configure Server Certificate Auto-enrollment

  17. On the completing the Automatic Certificate Requests Setup Wizard page, make sure setup successfully, click Finish.

    012720 1833 HowtoConfig14 - How to Configure Server Certificate Auto-enrollment

  18. On the Automatic Certificate Request Settings, make sure the Computer certificate is showing and close Group Policy Management Editor.

    012720 1833 HowtoConfig15 - How to Configure Server Certificate Auto-enrollment

  19. On the Group Policy Management page, right-click your local domain name (or the Server OU), select Link an Existing GPO.

    012720 1833 HowtoConfig16 - How to Configure Server Certificate Auto-enrollment

  20. On the Select GPO page, select Auto Enrollment for Computer Certificate Policy, click OK.

    012720 1833 HowtoConfig17 - How to Configure Server Certificate Auto-enrollment

  21. Make sure the Auto Enrollment for Computer Certificate Policy GPO is under the local domain (or the Server OU).

    012720 1833 HowtoConfig18 - How to Configure Server Certificate Auto-enrollment

  22. You can force update the GPO to Server via gpudate /force command.

    012720 1833 HowtoConfig19 - How to Configure Server Certificate Auto-enrollment

  23. Now, you will see the certificate is showing on the servers and Issued certificates of Certification Authority server.

    012720 1833 HowtoConfig20 - How to Configure Server Certificate Auto-enrollment

    012720 1833 HowtoConfig21 - How to Configure Server Certificate Auto-enrollment

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun

ca16fbd3199de5f66b829b87082fb970?s=80&d=retro&r=g - How to Configure Server Certificate Auto-enrollment

Author: Cary Sun

Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.

Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun