Microsoft KB Archive/313407

= HOW TO: Create Automatic Certificate Requests with Group Policy in Windows =

PSS ID Number: 313407

Article Last Modified on 10/3/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server

-



This article was previously published under Q313407



IN THIS TASK

 * SUMMARY
 * ** Requirements
 * Install a Certificate Template
 * Configure the Automatic Certificate Request Policy



SUMMARY
This step-by-step article describes how to create automatic certificate requests with group policy.

Windows 2000-based and Windows XP-based computers that are members of an Active Directory domain can automatically be assigned certificates by using a group policy. The process of requesting, receiving and installing a certificate is known as certificate enrollment. You can configure all computers in a domain or organizational unit to automatically enroll for certificates. This can save the administrator a great amount of time by eliminating the need to manually assign certificates to all computers in a domain or organizational unit.

back to the top

Requirements
Before you create an automatic certificate request, you must know the following:
 * The type of certificate you want computers to enroll for automatically.
 * The certification authority (CA) that will issue the certificate.

Computer-related certificates include computer certificates, IPSec certificates, and Web server certificates. The certification authority you use will be able to issue certificates of different types and purposes.

You must have administrative privileges to establish an automatic certificate request enrollment policy. Automatic certificate requests will work only with certification authorities that are running the enterprise policy module. The enterprise CA must contain the certificate template you want to assign. For example, if you want to automatically assign an IPSec certificate, the IPSec certificate template must be installed on the CA.

back to the top

Install a Certificate Template
Use the following steps to install a certificate template, and note that these steps must be performed on an enterprise CA in the Active Directory domain:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Certificate Authority.
 * 2) In the Certification Authority console, expand your domain name, right-click the Policy Settings node in the left pane, point to New, and then click Certificate to Issue.
 * 3) In the Select Certificate Template dialog box, click the certificate template you require. In this example, click the IPSEC certificate, and then click OK.
 * 4) Quit the Certification Authority console.

back to the top

Configure the Automatic Certificate Request Policy
Use the following steps to configure an automatic certificate request policy that allows automatic enrollment for domain computers:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the Active Directory Users and Computers console, right-click your domain name, and then click Properties.
 * 3) Click the Group Policy tab, click a domain group policy object, and then click Edit.
 * 4) In the Group Policy console, expand the Computer Configuration node, expand the Windows Settings node, expand the Security Settings node, and then expand the Public Key Policies node.
 * 5) Right-click the Automatic Certificate Request Settings node, point to New, and then click Automatic Certificate Request.
 * 6) When the Automatic CertificateRequest Setup Wizard starts, click Next.
 * 7) On the Certificate Template page, click the template you require. In this example, click the IPSEC template, and then click Next.
 * 8) On the Certificate Authority page, select the enterprise CA for your domain by placing a checkmark in the check box to the left of the CA. Click Next.
 * 9) On the Completing the Automatic Certificate Request Setup page, click Finish. The new certificate is automatically requested the next time the user logs on or the next time the domain Group Policy is refreshed. The certificate will be installed on new computers when they join the domain.

back to the top

Keywords: kbhowto kbHOWTOmaster KB313407

Technology: kbwin2000Search kbwin2000Serv kbwin2000ServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.