{"id":1387,"date":"2022-08-08T13:35:16","date_gmt":"2022-08-08T18:35:16","guid":{"rendered":"http:\/\/zewwy.ca\/?p=1387"},"modified":"2022-08-08T13:59:52","modified_gmt":"2022-08-08T18:59:52","slug":"microsoft-certificate-auto-enrollment","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2022\/08\/08\/microsoft-certificate-auto-enrollment\/","title":{"rendered":"Microsoft Certificate Auto-enrollment"},"content":{"rendered":"<p>Source: <a href=\"https:\/\/www.sysadmins.lv\/blog-en\/certificate-autoenrollment-in-windows-server-2016-part-3.aspx\">Certificate Autoenrollment in Windows Server 2016 (part 3) &#8211; PKI Extensions (sysadmins.lv)<\/a><\/p>\n<p>Thanks to Vadims Podans for his detailed write up.<\/p>\n<p>Source 2: Basic: <a href=\"https:\/\/docs.druva.com\/Knowledge_Base\/inSync\/How_To\/How_to_set_up_automatic_certificate_enrollment_in_Active_Directory\">How to set up automatic certificate enrollment in Active Directory &#8211; Druva Documentation<\/a><\/p>\n<p>Source 3 (Official): <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/core-network-guide\/cncg\/server-certs\/configure-server-certificate-autoenrollment\">Configure server certificate auto-enrollment | Microsoft Docs<\/a><\/p>\n<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Overview\"><\/span>Overview<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Autoenrollment configuration in general consist of three steps: configure autoenrollment policy, prepare certificate templates and prepare certificate issuers. Each configuration step is described in next sections.<\/p>\n<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Pre-requirements\"><\/span>Pre-requirements<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<ul>\n<li>Working AD<\/li>\n<li>Enterprise CA<\/li>\n<li>Proper Permissions (This post assumed domain admin rights)<\/li>\n<\/ul>\n<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Setup\"><\/span>Setup<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Configure_Autoenrollment_Policy\"><\/span>Configure Autoenrollment Policy<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ol>\n<li>Start\u00a0<strong>Group Policy<\/strong>\u00a0editor. In Active Directory environment, use\u00a0<strong>Group Policy Management Console<\/strong>\u00a0(gpmc.msc). In workgroup environment, use\u00a0<strong>Local Group Policy Editor<\/strong>\u00a0(gpedit.msc);<\/li>\n<li>Expand to<\/li>\n<\/ol>\n<pre>\u00a0<code>Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies<\/code><\/pre>\n<ol>\n<li>Double-click on\u00a0<strong>Certificate Services Client \u2013 Auto-enrollment<\/strong>;<\/li>\n<li>Set Configuration Model to\u00a0<strong>Enabled<\/strong>;<\/li>\n<li>Configure the policy save settings:<br \/>\n<a href=\"https:\/\/i.imgur.com\/3Cd4Rfw.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/3Cd4Rfw.png\" alt=\"\" width=\"400\" height=\"504\" \/><\/a><\/li>\n<li>Repeat steps 2-5 for\u00a0<strong>User Configuration<\/strong>\u00a0node.<\/li>\n<\/ol>\n<p>*Note 1* You technically don&#8217;t *NEED* a policy, the minimum you do need is the registry settings the policy defined. The reason for the policy is obliviously for scalability purposes. The key it defines is:<\/p>\n<pre>Key: SOFTWARE\\Policies\\Microsoft\\Cryptography\\AutoEnrollment\r\nValue: AEPolicy\r\nType: DWORD<\/pre>\n<p>Of course HKLM and HKCU will be used depending on which one was defined in the policy, so if you want user auto enrollment ensure the registry is defined in the HKCU. If you want machine auto enrollment ensure it is defined in HKLM.<\/p>\n<p>*Note 2* Vadims doesn&#8217;t cover what each value represents, or what possible values are available. I was only able to <a href=\"https:\/\/social.technet.microsoft.com\/Forums\/en-US\/7540a363-5b3c-4133-a150-08b16cfec1f1\/certificate-services-autoenrollment-registry-key-aepolicy-6?forum=winserversecurity\">find this source<\/a> on it which made the following statements:<\/p>\n<p>&#8220;Hi,<br \/>\nhttp:\/\/technet.microsoft.com\/en-us\/library\/cc731522.aspx<\/p>\n<p>The two checkboxes (point 7) control the value of AEPolicy<br \/>\n0 = non<br \/>\n1 = second<br \/>\n6 = first<br \/>\n7= both selected&#8221;<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Configuring_Certificate_Templates\"><\/span>Configuring Certificate Templates<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>This section covers how to configure certificate templates.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Default_settings\"><\/span>Default settings<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The following are the default settings:<\/p>\n<ul>\n<li>Both domain administrators from the root domain, and enterprise administrators for fresh installations of Windows Server 2003 (and newer) domains may configure templates.<\/li>\n<li>Certificate template ACLs are viewed in the\u00a0<strong>Certificate Templates<\/strong>\u00a0MMC snap-in.<\/li>\n<li>Certificate templates can be cloned or edited using the\u00a0<strong>Certificate Templates<\/strong>\u00a0MMC snap-in.<\/li>\n<li>Certificate Template need to be published before they can be used.<\/li>\n<li>Authenticated Users have Read permission on the Template. (Leave it be)<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Creating_a_new_template_for_the_autoenrollment_of_Web_Server_Cert\"><\/span>Creating a new template for the autoenrollment of Web Server Cert<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In this exercise we will create certificate template that will be intended for Server Authentication usually for a web server (IIS). As the additional requirement, the certificate will be stored on the server. To create a new template for autoenrollment for a web server:<\/p>\n<ol>\n<li>Log on to a computer where ADCS Remote Server Administration Tools (RSAT) are installed with Enterprise Admins permissions;<\/li>\n<li>Press Win+R key combination on the keyboard.<\/li>\n<li>In the\u00a0<strong>Run<\/strong>\u00a0dialog box, type\u00a0<em>certtmpl.msc<\/em>, and then click\u00a0<strong>Ok<\/strong>.<br \/>\nThe\u00a0<strong>Certificate Templates<\/strong>\u00a0MMC snap-in may also be invoked using the\u00a0<strong>Certification Authority<\/strong>\u00a0MMC snap-in by selecting the\u00a0<strong>Certificate Templates<\/strong>\u00a0folder, right-clicking, and then selecting\u00a0<strong>Manage<\/strong>.<\/li>\n<li>In the console tree, click\u00a0<strong>Certificate Templates<\/strong>.<\/li>\n<li>In the details pane, right-click the\u00a0<strong>Web Server<\/strong>\u00a0template, and then click\u00a0<strong>Duplicate Template.<\/strong><\/li>\n<li>The\u00a0<strong>Compatibility<\/strong> tab of the new template properties dialog box appears. Configure compatibility settings to minimum OS version that will consume this template and minimum OS version of CA server that will issue certificates based on this template. (In my Lab Server 2016, and client Windows 10)<\/li>\n<li>On the General Tab, Give it a name, Do not publish in AD. If you want more info on these 2 checkboxes read Vadims guide on creating a smart card cert.<\/li>\n<li>Click the\u00a0<strong>Request Handling<\/strong> tab. This tab is used to define how the certificate request should be processed. Use default settings in this tab.<\/li>\n<li>Switch to\u00a0<strong>Cryptography<\/strong> tab:<br \/>\nI use Key Storage Provider, RSA, 2048, Requests can use any provider.<\/li>\n<li>Switch to\u00a0<strong>Subject Name<\/strong>\u00a0tab. This tab is used to define how the subject name and certificate properties will be built.<br \/>\n*IMPORTANT* Check off &#8220;Use subject information from existing certificates for autoenrollment renewal requests.<\/li>\n<li>Switch to\u00a0<strong>Security<\/strong>\u00a0tab. This tab is used to define which users or groups may enroll or autoenroll for a certificate template. A user or group must have the\u00a0<strong>Read<\/strong>,\u00a0<strong>Enroll<\/strong>, and\u00a0<strong>Autoenroll<\/strong>\u00a0permissions to automatically be enrolled for a certificate template.<br \/>\nIn our case any web server computers joined to the domain will be granted Read, Enroll, Autoenroll permissions.<\/li>\n<\/ol>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Publishing_the_Certificate_Template\"><\/span>Publishing the Certificate Template<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When certificate template is prepared for autoenrollment, it must be added to Enterprise CA server for issuance. This section will describe how to add certificate template to CA for issuance by using Certification Authority MMC snap-in. For examples using certutil, and Powershell <a href=\"https:\/\/www.sysadmins.lv\/blog-en\/certificate-autoenrollment-in-windows-server-2016-part-3.aspx\">see Vadims post<\/a>.<\/p>\n<p>*Note* Standalone CA does not support certificate templates<\/p>\n<h3 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Configuring_CA_using_MMC\"><\/span>Configuring CA using MMC<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The most convenient way to add certificate template to CA is to use Certification Authority MMC snap in:<\/p>\n<ol>\n<li>Log on to CA server or computer with Remote Server Administration Tools installed with CA Administrator permissions;<\/li>\n<li>Press Win+R key combination on the keyboard;<\/li>\n<li>In the\u00a0<strong>Run\u2026<\/strong>\u00a0dialog, type \u201c<em>certsrv.msc<\/em>\u201d;<\/li>\n<li>If necessary, click on root node, then press\u00a0<strong>Action<\/strong>\u00a0menu and select\u00a0<strong>Retarget Certification Authority<\/strong>\u00a0to connect to desired CA server;<\/li>\n<li>When connected, expand CA node and select\u00a0<strong>Certificate Templates<\/strong> folder. You will see certificate templates supported for issuance by this CA.<\/li>\n<li>In\u00a0<strong>Action<\/strong>\u00a0menu, select\u00a0<strong>New<\/strong>\u00a0and\u00a0<strong>Certificate Template to Issue<\/strong>\u00a0menu. In the opened dialog, select target template and press\u00a0<strong>Ok<\/strong>\u00a0to finish. Ensure that certificate template is listed in\u00a0<strong>Certification Authority<\/strong>\u00a0MMC console.<\/li>\n<\/ol>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Request_and_Issue_Initial_Certificate\"><\/span>Request and Issue Initial Certificate<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now with all the pre-reqs in place. All one has to do is log into the domain joined machine and request a certificate. In our example since we picked Serve 2016 and recipient as Windows 10, the template is saved as a version 4 template.<\/p>\n<p>*Note* Version 3 and 4 templates do not show up under the CA&#8217;s web enrollment option.<\/p>\n<p>If everything was done correctly on the client side Certificate snap in for the machine you should be able to see the template listed:<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/iSCHV1R.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/iSCHV1R.png\" alt=\"\" width=\"630\" height=\"461\" \/><\/a><\/p>\n<p>Fill in a common name, and a couple DNS names fields to make browsers SAN requirements happy. Once filled the Enroll option should be available.<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/lIKV4qT.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/lIKV4qT.png\" alt=\"\" width=\"633\" height=\"465\" \/><\/a><\/p>\n<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Testing_and_Validating\"><\/span>Testing and Validating<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Well now that we got that, not sure how to test it getting renewed outside of the time going by&#8230;<\/p>\n<p>I did discover this command <a href=\"https:\/\/www.itprotoday.com\/strategy\/q-there-easy-way-trigger-automatic-certificate-enrollment-also-known-certificate-auto\">by searching for an answer:<\/a><\/p>\n<pre>certutil \u2013pulse<\/pre>\n<p>Well that&#8217;s doesn&#8217;t tell me much&#8230; wonder what the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/certutil\">office MS source<\/a> has to say&#8230;<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/Kpq6d6Y.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/Kpq6d6Y.png\" alt=\"\" width=\"923\" height=\"313\" \/><\/a><\/p>\n<p>Real mature Microsoft&#8230; This isn&#8217;t new either here&#8217;s a bit more deatiled answer <a href=\"https:\/\/social.technet.microsoft.com\/Forums\/windows\/en-US\/795f209d-b056-4de8-8dcf-7c7f80529aab\/what-does-quotcertutil-pulsequot-command-do?forum=winserversecurity\">from good ol TechNet<\/a> (RIP).<\/p>\n<p>&#8220;Certutil -pulse will initiate autoenrollment requests.<\/p>\n<p>It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7)<\/p>\n<p>Right-click\u00a0<strong>Certificates<\/strong>\u00a0, point to\u00a0<strong>All Tasks<\/strong>\u00a0, click\u00a0<strong>Automatically Enroll and Retrieve Certificates<\/strong>\u00a0.<\/p>\n<p>The command does require that<\/p>\n<p>&#8211; any autoenrollment GPO settings have already been applied to the target user or computer<\/p>\n<p>&#8211; a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user<\/p>\n<p>&#8211; The group membership is recognized in the users Token (they have logged on after the membership was added&#8221;<\/p>\n<p>This action is available only when you right click the very top &#8220;Certificates&#8221; node, not the sub folders node under the Personal folder.<\/p>\n<p>So again I wasn&#8217;t sure how to validate it will work when time comes, as running the above action in certmgr simply only gave me the option to enroll in the computer certificate template all the other templates were marked as &#8220;unavailable&#8221; even though I manually enrolled the cert above without issue. Which made me wonder if there&#8217;s a difference between auto renewal of a certificate and auto enrollment.<\/p>\n<p>I found <a href=\"https:\/\/argonsys.com\/microsoft-cloud\/library\/renew-web-server-ssl-certificates-automatically\/\">this post from a &#8220;field\u00a0 Engineer&#8221;<\/a>\u00a0 which seemed to conclude that they are tied together in some form.<\/p>\n<p>&#8220;The Autoenrollment Group Policy has to be enabled for this feature to work. This feature will also work on certificates issued prior to enabling it.&#8221;<\/p>\n<p>However no other details. From what I can tell.. The command certutil -pulse triggers the following Scheduled Task:<\/p>\n<pre>Microsoft\\Windows\\CertificateServicesClient\\SystemTask<\/pre>\n<p>Which AFAIK will only trigger certificate issuance on certs destined to expire, how close to expiry? I&#8217;m not sure, there was the option in the template to log @ 10% remaining. I&#8217;m not sure that&#8217;s the threshold it uses to trigger a certificate renewal.<\/p>\n<p>I&#8217;m not sure if there&#8217;s a specific parameter you can set to tell it to renew a certificate before this expiry time.<\/p>\n<p>If you know please leave a comment.<\/p>\n<p>Final Note&#8230; <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/get-started\/whats-new-in-iis-85\/certificate-rebind-in-iis85\">Ensure you enable the auto rebind feature introduced in IIS 8.5 and later.<\/a> I&#8217;ve had this bite me.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Source: Certificate Autoenrollment in Windows Server 2016 (part 3) &#8211; PKI Extensions (sysadmins.lv) Thanks to Vadims Podans for his detailed write up. Source 2: Basic: How to set up automatic certificate enrollment in Active Directory &#8211; Druva Documentation Source 3 (Official): Configure server certificate auto-enrollment | Microsoft Docs Overview Autoenrollment configuration in general consist of &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/zewwy.ca\/index.php\/2022\/08\/08\/microsoft-certificate-auto-enrollment\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Microsoft Certificate Auto-enrollment&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[8,197],"tags":[418,417,188],"class_list":["post-1387","post","type-post","status-publish","format-standard","hentry","category-server-administration","category-windows","tag-auto-renew","tag-autoenroll","tag-certificate"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1387"}],"version-history":[{"count":2,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1387\/revisions"}],"predecessor-version":[{"id":1393,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1387\/revisions\/1393"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}