I just installed Active Directory Certificate services on 2008 r2, with the CA web enrollment. When users go to //servername/certsrv they are asked to authenticate and then are giving the option to request a cert. Then they are giving "Select the certificate Type with the option for User Certificate. I want to add User Signature only cert as a "default" option as my employees won't be able to work though a full advanced cert request. Is there a way to add that option? Thank you

isn't the User Signature certificate actually a "certificate template"? You need to define a "certificate template" and then configure your CA to publish the certificate template. You also configure the template so that the users have Enroll and Read permissions to the template. After you publish the template in CA, you need to restart the web enrollment computer (note that it must be whole computer, not just web server). The web enrollment tool then shows all certificate templates (only versions 2000 - version1 and 2003 - version2) that the particular CA publishes and which also have permissions to Enroll granted for the current logged-on user. So if you do not want to see the User template, you need to unpublish it from the authority ondrej.

It is one of the templates, and it is available in the template selection for advanced certificate request, but it is not showing up as a certificate type in "normal" cert requests here is a picture. I am trying to get it listed there and potentially with auto enroll for the user.

aaa, of course. to achieve this, you would have to modify the enrollment pages, probably. what about just giving the users an URL Link that points directly to the advanced request? ondrej.

Are the users members of your domain running on computers that are domain members? /Hasain

Yes all users are part of the domain when they are using / needing signature certs. I was digging around the web enrollment cert pages and found a comment / statement. <% 'options are the user cert types in the AvailReqType array Dim nIndex For nIndex=0 To nAvailReqTypes-1 %> which then is used to send the type of cert request to certrqbi.asp?type=<nIndex> Question is how do you add a cert template to that array and where is the array. I have also started looking into just using group policy to autoenroll everyone, but not sure how that works out with the signature certs, etc.

Looking at group policy has it so users are setup for auto enroll but they would need to know how to request the cert once again not the training class I want to hold for 500+ users that know little about computers in general. Is there a way to provide a batch file or powershell script where the user clicks on it, the script runs and requests the signature cert? Long story short I just need a simple manner for people to request signature certificates, so they can sign their employment documents electronically.

I have that setup, but it doesn't automatically create the certificate. It does let the user go into their local certificates click new cert and click on the template, click ok and poof they have a cert. Good to go, I was hoping / looking though for a way to not expose the users to having to go to their certs and request the cert. Would like something a bit cleaner like a web page or script file they run that sends the request for them. so I can send a company email that states, go here, click on this link / file and your done. Everything except the request part is working for the auto enrollment part. Just need to figure out how to have the request auto sent. Or will the group policy go out and auto assign all auto enroll certs to a user when they sign in, if so I need to try testing on a few different machines to ensure it's not an issue with group policy not updating on local machines.

Or will the group policy go out and auto assign all auto enroll certs to a user when they sign in, if so I need to try testing on a few different machines to ensure it's not an issue with group policy not updating on local machines. Yes, if autoenrollment is 100% enabled all will just work in the background! I will suggest you to check that autoenrollment is properly configured on the certificate as well as the user. Besides that the certificate template must be a version 2 or above, the autoenrollment setting must be enabled separately per user and per computer. /Hasain

follow up question will the auto enrollment work with 2003 AD servers? The CA is setup on a 2008 r2 box, but our main AD forest is 2003.

Ok so the AD setup a cert for every employee, but it isn't "pushing" the certs to people's machine. So when they go to sign a document they still don't "have" a signing cert, techincally they do but MS Office doesn't see it in their certificates on the machine so it prompts them to go to the market or create their own, when I need them to use the cert we have created for them. Is there a way to get the group policy to push the cert to the user's when they log into a machine?