A lot of the new technologies requiring certificates to be used for authentication require those certificates to be distributed on a large scale. For example, if we want to use the Computer certificate for DirectAccess authentication, we need to issue a certificate to every DirectAccess client computer. This could be thousands of laptops in your network. If we want to start encrypting traffic inside the network with IPsec and require certificates to be distributed for that purpose, you would potentially need to issue some kind of machine certificate to every computer inside your network. While you could certainly issue each by hand using either the MMC console or the CA web interface, that doesn't sound like very much fun.
Enter Autoenrollment. We can turn on this feature, which is sort of like flipping a switch in Active Directory, and in doing so we can tell AD to issue certificates automatically to the computers, even if we need to get them to every single domain joined the system. Let's work together through this recipe to turn on this option and test it out.
We are working inside a Windows Server 2016 based Active Directory domain. We also have a Server 2016 Enterprise Root CA running in this network. The work that we will be accomplishing is a combination of work on the CA server and work inside Group Policy on a Domain Controller.
To enable Autoenrollment in your domain, take a look at these instructions:
We make use of Group Policy in order to flip our autoenrollment on-switch and immediately start the autoenrollment of certificates to our domain-joined systems. There are a couple of different ways that autoenrollment can be regulated. You can decide who gets the autoenrollment policy applied to them through Group Policy links and filtering, meaning that you can define in the GPO properties which users or computers are going to be subject to autoenrollment in the first place. Alternatively, or additionally, you can also specify permissions inside each certificate template on the CA server so that you can better determine which users or computers in your environment will receive copies of each template once autoenrollment is enabled.
Planning is essential to this task. You need to build a clear definition for what certificates you need to publish, and to which devices or people you need that certificate to roll itself out to. Follow the steps incorrectly and it may not work, or worse yet, you may end up with a thousand certificates being issued all over your network that you did not intend to be distributed. Group Policy is extremely powerful, and tapping into that power comes with great responsibility.
After configuring these settings, if you reboot a few domain joined machines in your network, you will notice that when they come back online, there will be a new certificate sitting in the computer's personal certificate store. Sit back and wait a few hours, and they will have rolled around to everybody automatically. If you don't like waiting for Group Policy to refresh, you can open Command Prompt on some of those computers and issue the gpupdate /force
command to manually refresh the policies and pull down the certificate.
18.117.165.82