It Calls

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Tuesday, 27 August 2013

Enable Auto Enrollment to Avoid Expiring Certificates

Posted on 15:06 by Unknown
Its common that sometimes few admins miss the renewal of some key certificates in their Microsoft internal PKI (Public Key Infrastructure), this is due to the fact that its a bit of manual task and you need to set manually some Outlook reminders (My favorite method) or run schedules tasks to remind you before the Certificate expiration date.

However if you a user that logs frequently on this CA (Certificate Authority) server we can enable Auto Enrollment for this user. After configuring it, we don’t need to worry about the expiring certificates as long as the specific user still logs onto the CA.

To Enable Auto Enrollment you need to do the following:


  1. Right click on the Certificate Template where you need to enable the Auto Enrollment feature
  2. On the Security Tab (Check below image), add a specific user or grant an existing user the Auto Enroll permission (In my case i picked a normal low privileged service account that connects periodically on the server at least each month for maintenance and installing latest windows updates.)                                                                                                                                                                                                                                                                      
                                                                                                                                                             
  3. Publish the Template and issue the needed certificate.
  4. Open the Group Policy Management (On your Domain Controller) and either create a new Group policy or simply edit the Default Domain Policy
  5. Navigate to User Configuration - Policies - Windows Settings - Security Settings - Public Key Policy and enable Autoenrollment as shown below. 

This user with the Autoenroll feature enabled when logged in on the CA server will get notified and the certificate will get enrolled and the Certificate won't get expired.




Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in PKI | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Error 0x803100B7 Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device
    I Purchased few weeks ago the Microsoft Surface Pro tablet, its a very nice production tablet that really enables remote users to run their ...
  • Microsoft Hyper-V VMMS & System services stop after December 2012 Updates (KB2506143)
    I had an issue recently with some Hyper-V servers where it was noticed that the Hyper-V system services (VMMS, VHDSVC & NVSPWMI) gets st...
  • Two DNS Records with same IP Address. Aging and Scavenging problems with DHCP Lease duration !!
    Aging and Scavenging is very crucial and important for Active Directory Integrated zone, it should be carefully planned and configured. We r...
  • How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub
    Its highly recommended when building your Microsoft PKI (Public Key Infrastructure) to have your Root CA offline after issuing the Enterpris...
  • Windows 7 Direct Access Client Troubleshooting – Part 1 – Client Transition Technologies
    During the past few months I was heavily engaged with different DirectAccess implementations and passed by several interesting issues/proble...
  • Manual Install of UAG 2010/Remote App and RDS Portal Components
    Microsoft UAG 2010 main functions are Application Publishing and Enhanced DirectAccess deployment. The Application publishing allows you to ...
  • The Card Supplied Requires Drivers that are not present on this System
    I recently started getting the above mentioned Logon warning Message (Check below screen shot) while logging on my old 2003 and 2003R2 serve...
  • UAG Direct Access IP-HTTPS fail with SAN Certificate
    Lately I passed by this issue with a client trying to implement the UAG Direct Access using UCC SAN (Subject Alternative Name) Certificate. ...
  • AD CS not configured for Revocation checking of all certificates
    Recently the SCOM server (One of your best friends on the network) started reporting the error "AD CS not configured for Revocation che...
  • Surface 2 RT Bitlocker Recovery Key problem is fixed
    Windows Surface 2 RT comes already pre-setup with Bitlocker encryption, the user don't need to do anything to enable it or set/type a pa...

Categories

  • Active Directory
  • Bitlocker
  • DirectAccess
  • Hyper-V
  • Lync
  • PKI
  • SQL
  • System Center
  • UAG
  • WSUS

Blog Archive

  • ►  2014 (1)
    • ►  January (1)
  • ▼  2013 (27)
    • ►  December (5)
    • ►  November (4)
    • ►  October (2)
    • ►  September (1)
    • ▼  August (4)
      • Enable Auto Enrollment to Avoid Expiring Certificates
      • The Validity Period of an Issued Certificate is Sh...
      • How to Publish New Certificate Revocation List (CR...
      • How to Manually Delete Old/Empty WSUS computer Gro...
    • ►  July (4)
    • ►  May (1)
    • ►  April (2)
    • ►  March (3)
    • ►  February (1)
  • ►  2012 (25)
    • ►  December (2)
    • ►  November (3)
    • ►  October (3)
    • ►  September (2)
    • ►  August (2)
    • ►  July (2)
    • ►  May (2)
    • ►  April (1)
    • ►  March (3)
    • ►  February (2)
    • ►  January (3)
  • ►  2011 (5)
    • ►  December (2)
    • ►  November (3)
Powered by Blogger.

About Me

Unknown
View my complete profile