Hey all, I've been trying to deploy user certificates for document signing. I am following this article to a T: http://technet.microsoft.com/en-us/library/cc770857.aspx However, it's just not working. When I open my certificate store and I run through the wizard "Automatically Enroll and Retrieve Certificates" the certificate does not show up. If this is blank, then I know it's not going to work. what I am I missing? This vague statement at the bottom of the article has me wondering: "Ensure that all appropriate domain system containers are configured for autoenrollment of user certificates either through the inheriting of Group Policy settings of a parent system container or through explicit configuration." Thanks!

It means, make sure that the Autoenrollment GPO is enforced at the OU where you have the users either by inheritance or directly. If you try to request the certificate manually using that template, what result do you get? What is the output of the command: certutil -adtemplate "TemplateName" /Hasain

okay, well I'm okay on the GPO then. When I ran certutil, I get: C:\WINDOWS\system32>certutil -adtemplate "DocumentSignature" DocumentSignature: Document Signature -- Auto-Enroll CertUtil: -ADTemplate command completed successfully. I do not see anything in my certificate store, though.. not sure if I should.

To get the certificate, best bet is to log on and log off Can also run certutil -pulse Brian

Thanks. I've tried a combination of: certutil -adtemplate "DocumentSignature" certutil -pulse and a complete reboot. Still do not having anything under my certificate store. Thanks!

Does your user have auto-enrolment and read access to the template? Check your registry for HKCU\Software\Policies\Microsoft\Cryptography\AutoEnrollment which will confirm that the GPO setting has been applied (shouldn't have a value of 0)

The result from the command: certutil -adtemplate "DocumentSignature" shows that you have enabled AutoEnrollment on the certificate template but you still need to verify that AutoEnrollment has benn enabled for the user! /Hasain

I deleted my template, and issue. I made a new one. I ensured that "read", "enroll", "autoenroll" were enabled for "Authenticated Users", and "Domain Users". I ran: certutil -adtemplate "DocumentSignature" certutil -pulse AND rebooted. Still no certificate. Hasain, that sounds plausible. HKEY_CURRENT_USER\Software\Policies\Microsoft\Cryptography\AutoEnrollment\ Doesn't have anything in it. So it's not getting enabled from the Default Domain Policy?

to verify the autoenrollment setting run the rsop.msc on the client and check the user autoenrollment settings /Hasain

Be sure you have set *user* autoenrollment and not just *machine* autoenrollment as well Brian

to verify the autoenrollment setting run the rsop.msc on the client and check the user autoenrollment settings /Hasain

Thanks! I found that another GPO had the configuration enabled, but none of the required enrollment options were set. I don't know why, and it took way too long to find. Thanks for rsop. I wouldn't have expected that was the problem in all of this!