Today, I am going to show you how to configure Server Certificate Auto-enrollment via Group Policy, you need to have an Enterprise certification authority root server before you configure auto-enrollment, if you don’t know how to install Enterprise certification authority root server, you can follow my previously post and step by step to install it.

  1. Login to Certificate Authority server.
  2. On the Server Manager page, select Tools and click Certification Authority.

  3. On the Certificate Authority page, select your Domain and click Certificate Templates, There are some exiting templates by default, I am going to use Computer (it’s intended purpose for Client Authentication and Server Authentication) template for server certificate auto-enrollment, you also can create (duplicate) a new certificate for it.

  4. Before we are starting to configure server certificate auto-enrollment, select Issued certificates, you will notice there is no existing certificate be issued.

  5. Login to the Domain controller server.
  6. On the Server Manager page, select Tools, click Group Policy Management.

  7. On the Group Policy Management page, right-click Group Policy Object and select New.

  8. On the New GPO enter Auto Enrollment for Computer Certificate Policy as Name, click OK.

  9. Right-click the Auto Enrollment for Computer Certificate Policy, select Edit.

  10. On the Group Policy Management Editor page, expand Computer Configuration àPolicies àWindows Settings àSecurity Settings, select Public Key Policies and double click Certificate Services Client – Auto-Enrollment.

  11. On the Certificate Services Client – Auto-Enrollment page, change Configuration Model form Not configured to Enable.

  12. On the Configuration Model, select Renew expired certificate, update pending certificates, and remove revoked certificates.
  13. On the Configuration Model, select Update certificates that use certificate templates. Click OK.

  14. On the Policy Key Policies, right-click Automatic Certificate Request Settings, select New.

  15. On the Welcome to the Automatic Certificate Request Setup Wizard page, click Next.

  16. On the Certificate Template page, select Computer, click Next.

  17. On the completing the Automatic Certificate Requests Setup Wizard page, make sure setup successfully, click Finish.

  18. On the Automatic Certificate Request Settings, make sure the Computer certificate is showing and close Group Policy Management Editor.

  19. On the Group Policy Management page, right-click your local domain name (or the Server OU), select Link an Existing GPO.

  20. On the Select GPO page, select Auto Enrollment for Computer Certificate Policy, click OK.

  21. Make sure the Auto Enrollment for Computer Certificate Policy GPO is under the local domain (or the Server OU).

  22. You can force update the GPO to Server via gpudate /force command.

  23. Now, you will see the certificate is showing on the servers and Issued certificates of Certification Authority server.

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun