How to Configure Server Certificate Auto-enrollment #Group Policy #GPO #Certificate #Server #Auto-Enrollment #Mvphour

      No Comments on How to Configure Server Certificate Auto-enrollment #Group Policy #GPO #Certificate #Server #Auto-Enrollment #Mvphour

Today, I am going to show you how to configure Server Certificate Auto-enrollment via Group Policy, you need to have an Enterprise certification authority root server before you configure auto-enrollment, if you don’t know how to install Enterprise certification authority root server, you can follow my previously post and step by step to install it.

  1. Login to Certificate Authority server.
  2. On the Server Manager page, select Tools and click Certification Authority.

  3. On the Certificate Authority page, select your Domain and click Certificate Templates, There are some exiting templates by default, I am going to use Computer (it’s intended purpose for Client Authentication and Server Authentication) template for server certificate auto-enrollment, you also can create (duplicate) a new certificate for it.

  4. Before we are starting to configure server certificate auto-enrollment, select Issued certificates, you will notice there is no existing certificate be issued.

  5. Login to the Domain controller server.
  6. On the Server Manager page, select Tools, click Group Policy Management.

  7. On the Group Policy Management page, right-click Group Policy Object and select New.

  8. On the New GPO enter Auto Enrollment for Computer Certificate Policy as Name, click OK.

  9. Right-click the Auto Enrollment for Computer Certificate Policy, select Edit.

  10. On the Group Policy Management Editor page, expand Computer Configuration àPolicies àWindows Settings àSecurity Settings, select Public Key Policies and double click Certificate Services Client – Auto-Enrollment.

  11. On the Certificate Services Client – Auto-Enrollment page, change Configuration Model form Not configured to Enable.

  12. On the Configuration Model, select Renew expired certificate, update pending certificates, and remove revoked certificates.
  13. On the Configuration Model, select Update certificates that use certificate templates. Click OK.

  14. On the Policy Key Policies, right-click Automatic Certificate Request Settings, select New.

  15. On the Welcome to the Automatic Certificate Request Setup Wizard page, click Next.

  16. On the Certificate Template page, select Computer, click Next.

  17. On the completing the Automatic Certificate Requests Setup Wizard page, make sure setup successfully, click Finish.

  18. On the Automatic Certificate Request Settings, make sure the Computer certificate is showing and close Group Policy Management Editor.

  19. On the Group Policy Management page, right-click your local domain name (or the Server OU), select Link an Existing GPO.

  20. On the Select GPO page, select Auto Enrollment for Computer Certificate Policy, click OK.

  21. Make sure the Auto Enrollment for Computer Certificate Policy GPO is under the local domain (or the Server OU).

  22. You can force update the GPO to Server via gpudate /force command.

  23. Now, you will see the certificate is showing on the servers and Issued certificates of Certification Authority server.

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun

About Post Author

Cary Sun

Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.

Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun

See author's posts

Leave a Reply