Certificate Autoenrollment



paulcerv
07-09-2005, 10:53 PM
Hoping someone might be able to enlighten me on this subject and correct any
assumptions I am making that might be wrong. Thanks in advance.

When you set up your CA you can specifiy in the capolicy.inf file which pki
services you wish to provide to users/computers. Some of these, such as
basic EFS and Domain Controller, are set up for autoenrollment by default as
defined in group policy. This is fine, except for when you want to limit
who/what can request the certificates. I have both basic EFS and Domain
Controller certificates being issued. I don't want to implement these
certificates yet and wish to controll the requests which are building up in
my pending queue. I was able to modify the Autoenrollment setting in Group
Policy for my Win2003 Domain Controllers to stop them from requesting
certificates, but the Win2000 DCs are still requesting and I have not found
where the setting in group policy is to controll this. I can also remove
this template from the certificate store, but I read a warning that once
removed you cannot issue certificates based on the template anymore. Not
sure if this simply meant that a custom template definition would not be
available as I can't see any restriction that would keep me from adding it
back in after I removed it. This brings up the question, "Am I being a
paranoid control freak." Should I just allow the domain controllers to
request their certificates even though I have not implemented anything yet
based on those certs. Just a bit confused why MS would asssume this how an
admin would want the default behavior.

Eduard Koller [MSFT]
07-09-2005, 10:54 PM
One of the reasons you may need a DC cert is for verification of smartcard
logons.
I don't see any reason for which you would want to prevent the DCs from
enrolling for certs.
However, if you really want to, you can remove the template from the list of
the templates your CA can issue. Yes, you can add it back later.

--
Eduard Koller[MS]

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"paulcerv" <paulcerv@discussions.microsoft.com> wrote in message
news:7B9C837E-4E81-461D-ABA7-BEA534D8D635@microsoft.com...
> Hoping someone might be able to enlighten me on this subject and correct
> any
> assumptions I am making that might be wrong. Thanks in advance.
>
> When you set up your CA you can specifiy in the capolicy.inf file which
> pki
> services you wish to provide to users/computers. Some of these, such as
> basic EFS and Domain Controller, are set up for autoenrollment by default
> as
> defined in group policy. This is fine, except for when you want to limit
> who/what can request the certificates. I have both basic EFS and Domain
> Controller certificates being issued. I don't want to implement these
> certificates yet and wish to controll the requests which are building up
> in
> my pending queue. I was able to modify the Autoenrollment setting in
> Group
> Policy for my Win2003 Domain Controllers to stop them from requesting
> certificates, but the Win2000 DCs are still requesting and I have not
> found
> where the setting in group policy is to controll this. I can also remove
> this template from the certificate store, but I read a warning that once
> removed you cannot issue certificates based on the template anymore. Not
> sure if this simply meant that a custom template definition would not be
> available as I can't see any restriction that would keep me from adding it
> back in after I removed it. This brings up the question, "Am I being a
> paranoid control freak." Should I just allow the domain controllers to
> request their certificates even though I have not implemented anything yet
> based on those certs. Just a bit confused why MS would asssume this how
> an
> admin would want the default behavior.
>


Certificate Autoenrollment