Книга: Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

Automatically enrolling computer and user certificates


A server designated as a certificate authority (CA) is responsible for issuing digital certificates and managing certificate revocation lists (CRLs). Servers running Windows Server can be configured as certificate authorities by installing Active Directory Certificate Services. Computers and users can use certificates for authentication and encryption.

In an enterprise configuration, enterprise CAs are used for automatic enrollment. This means authorized users and computers can request a certificate, and the certificate authority can automatically process the certificate request so that the users and computers can immediately install the certificate.

Group Policy controls the way automatic enrollment works. When you install enterprise CAs, automatic enrollment policies for users and computers are enabled automatically. The policy for computer certificate enrollment is Certificate Services Client-Auto-Enrollment Settings under Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies. The policy for user certificate enrollment is Certificate Services Client-Auto-Enrollment under User ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies.

You can configure automatic enrollment by following these steps:

1. In the GPMC, press and hold or right-click the GPO with which you want to work, and then tap or click Edit.

2. In the policy editor, access User ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies or Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies as appropriate for the type of policy you want to review.

3. Double-tap or double-click Certificate Services Client-Auto-Enrollment. To disable automatic enrollment, select Disabled from the Configuration Model list, tap or click OK, and then skip the remaining steps in this procedure. To enable automatic enrollment, select Enabled from the Configuration Model list.

4. To automatically renew expired certificates, update pending certificates, and remove revoked certificates, select the related check box.

5. To ensure that the latest version of certificate templates are requested and used, select the Update Certificates That Use Certificate Templates check box.

6. To notify users when a certificate is about to expire, specify when notifications are sent using the box provided. By default, notifications are sent when 10 percent of the certificate lifetime remains.

7. Tap or click OK to save your settings.

Оглавление книги


Генерация: 1.220. Запросов К БД/Cache: 3 / 1
поделиться
Вверх Вниз