Request a personal certificate on Windows automatically

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Request a personal certificate on Windows automatically was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, certificate-authority, , , .

I have been tasked to create a Windows Server 2012 Certificate Authority (CA) on our domain and use it to create a Personal Certificate to our users. The purpose of the certificate is to be able to sign PDF files

I have created the CA, and created a new template called “PDF Signing” with all the options i need. Now the only thing that remains is to actually create the certificate to our users.

So far i have seen 3 methods to do this:

  1. Run certmgr, right click on Personal->Certificates and request a certificate. Follow the wizard and choose the “PDF Signing” template. I don’t know if this method requires the user to be administrators.
  2. Install the web enrollment role feature and point the users to the website. Ironically, i find that the UI is more complex than the one in certmgr
  3. Command line version (certreq)

Is there a way to automate this process? The command line version requires an .ini file and to supply the password, which complicates automation.

Am i stuck explaining the users how to use certmgr? Our users don’t have any kind of privileges, not even local administrator. Or is there another method i have not seen?

This feature is called Certificate Autoenrollment: Configure Certificate Autoenrollment

just to note: do not use web enrollment, it is way outdated and have very and very limited functionality.

Here is how autoenrollment works.

  1. Each time group policies are refreshed on clients (on domain members it is about each 90min +/-, on domain controllers it is 15 or 5 minutes, depending on functional level) it triggers the autoenrollment.
  2. Autoenrollment checks all certificate templates from Active Directory and selects ones where current user account (or group) have Read and Autoenroll permissions.
  3. Autoenrollment locates available Enterprise CAs in an Active Directory forest and checks whether the CA supports certificate templates selected in step 2.
  4. Autoenrollment examines local certificate store and checks whether there are valid certificates based on templates selected in step 3. If there is missing certificate, autoenrollment performs silent certificate enrollment.

Although, the logic is more complex, this information is enough to you to understand how templates are selected, in other words, through permissions and certificate template availability at CA server.

Leave a Reply

Your email address will not be published.