In this post we will learn on how to configure GPO to enroll certificate automatically. We will configure GPO in such a way that all domain joined machines will have an unique certificate which can be used for different purpose. The pushed certificate can be used for 802.1x authentication for wired or wireless connections, It can also be used in any certificate based authentications. As the certificate is pushed automatically to all domain joined machines it reduces over-head to the administrators.
Configuration of GPO on domain controller to push certificate automatically on domain machines.
Step 1> Open Certification authority. Open server manager click on Tools and select Certification authority.
Step 2> Create a new template. Right click on Certificate templates and select manage.
There is a default template for user right click and duplicate it
Edit the details:
Give permissions (Read, Enroll, Autoenroll) to request group.
Add the newly created template to the Certificate templates:
Select the created template and click ok.
Now we will create group policy to enable auto enrollment.
The configured GPO policy will be shown in the list. We will use “Default Domain policy” for this example, We can choose another policy based on the configuration.
Right click on Default domain policy and select Edit.
So here will edit the setting for users. Expand User configuration > Windows settings> Security Settings > Public Key Policies > Right click select properties of Certificate Services Client – Auto-Enrollment
Same steps need to be repeated for Machine certificates.
After completing these steps we have successful completed Auto enroll configuration to push Certificate using GPO.
How to validate if the certificate is present on the domain machine.
Step 1> Go to run and type mmc hit enter:
Step 2> Click on file and Select Add/Remove Snap-in ..
Select Certificate and click add then click ok.
Expand the certificates for current user > Navigate to Personal > Certificates . In the below screenshot we can see that machine have enrolled certificate automatically using the GPO which we have configured on domain controller. there is one certificate present on the end user machine automatically.