Certificate Autoenrollment, Windows 2008 Active Directory and Issuing Certificate Services Server.
I need to document validate several things before I can close my project. 1. Revocation list - I have created a certificate and issued it to a user and workstation. How do I show this users entry in the revocation list and when they expire? I have not worked with the revocation list functions yet. 2. How often is the revocation list updated? Where do I check that? 3. What is a good test to verify Autoenrollment? i.e. if I create a certificate that expires in 2 days and set it to Autoenroll in 1 day? Is that a good test? 4. Can I push a certificate to a user or workstation with a GPO using a duplicate Template in my Certificate Authority?
September 30th, 2011 3:44pm

Item 1: revocation Using the mmc ca snapin. Find the issued cert in the "issued" folder and right click. You can revoke it right there. You can then right click on the ca and "Publish CRL" which will force the base crl to be published. You should see the serial number of the cert you revoked on the crl at the published location. This is probably not what would happen in a production environment. i.e. crls are published at specific intervals. Also don't forget that clients cache crls so if you want to see the effect of the revoked cert on your client you'll need to clean the crl cache. Item 2: crl update That is upto you and how you design your pki. I don't really design entire pki's but I feel this is an issue that deserves some thought when setting up your pki. Item 3: Autoenrollment You can test autoenrollment by enabling a template for autoenrollment. Then on the client machine type: "certutil -user -pulse" for user certs or "certutil -pulse" for machine certs and autoenroll will run and automatically enroll for that template. If you get that cert then auto enroll is doing its thing. Item 4: GPO to get certs on clients You can get a cert onto a client workstation using GPO. It has nothing to do with templates or a CA. But that will be just the cert; not the private key. Is that what you want? Andrew
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2011 11:21pm

1 & 2: Revoking a certificate is a manual activity that invalidates the certificate as a trusted security credential before its original validity period expires. In other words, a certificate will never show up in the revocation list before it has actually been revoked by an admin. Read more about revocation and how to configure CRL publishing intervals: http://technet.microsoft.com/en-us/library/cc771079.aspx 3: Autoenrollment is the process of automating certificate requests and updates on the client. These can include most types of certificates issued to computers and services, as well as many certificates issued to users. Autoenrollment is enabled by combining settings on the certificate template and setting on each client. Enabling Certificate Autoenrollment consists of the following tasks: Configure Certificate Autoenrollment for computers and users via GPO: http://technet.microsoft.com/en-us/library/cc731522.aspx Enable Certificate Autoenrollment on specific v2/v3 certificate templates: http://technet.microsoft.com/en-us/library/cc770546.aspx Besides the above please note that some settings in the certificate template directly affect the behavior of subject autoenrollment as described in this article http://technet.microsoft.com/en-us/library/cc778245(WS.10).aspx To specifically answer your question about when to autoenroll/renew, the autoenrollment process will follow the Renewal period settings specified on the certificate template. 4: "Pushing" certificates to clients using templates is the process of autoenrollment as described above. /Hasain
October 1st, 2011 2:20am

I have run certutil -pulse and certutil -pulse -user. It says it completes successfully but nothing shows up in MMC / Certificates on the workstation.
Free Windows Admin Tool Kit Click here and download it now
October 3rd, 2011 3:57pm

1. Is a certificate template configured that assigns a global or universal group Read, Enroll, and Autoenroll permissions 2. Is the user/machine a member of said group in step 1. 3. Is the certificate template available for enrollment at the issuing CA 4. Is an autoenrollment GPO enabled. (did you get it right, there are separate ones under User Configuration and Machine Configuration 5. Is the GPO linked to the domain or OU tree where the user/machine account exists 6. Did you log on at a domain member computer with a domain user account All of these must be done properly for autoenrollment to work Brian
October 3rd, 2011 4:48pm

Yes to all the above. No cert. on my Windows 7 or my XP is appearing under MMC / Certificates /Personal for user or computer. Shouldn't the certificate show up on the workstation in MMC / Certificates /Personal ?
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2011 1:25pm

On Windows 7, run certmgr.msc and right-klick "Certificates - Current User", select all tasks and "Automatically Enroll and Retrieve Certificates". Check the results! If you want to check for computer autoenrollment repeate the above using MMC as an admin and adding the certificate snap-in. For more troubleshooting on autoenrollment: Check the client eventlog for any autoenrollment errors/events Check the certificate services for any failed requests related to this /Hasain
October 4th, 2011 1:42pm

It says on your first step "Certificate auto-enrollment has nob been enabled" But my template has autoenroll and enroll checked with the workstation and user assigned to template?
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2011 4:12pm

I can manually get a certificate for both user and computer from MMC / Certificates. However, All of my templates have an X by them and say unavailable on my computer when I run Automatically Enroll and Retrieve Certificates".
October 4th, 2011 4:20pm

Well, in my Group Policy I had Certificate Services Client - 1. Auto-Enrollment enabled 2. but did not have the Certificate Services Client - Certificate Enrollment Policy - Enabled. Now my GPO works.
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2011 4:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics