Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment

In the last part, we have created a certificate template for WinRM over HTTPS. Now the Sub CA is able to respond to enrollment request. To remember, enrollment is the process for a client to obtain a signed certificate. The client which asks for a signed certificate is called the enrollee.

In this part, we will see how to obtain a certificate from the certificate template called WinRM.


To make an enrollment, open mmc.exe and click on File and Add/Remove Snap-in:

On the left menu, select Certificates and click on Add. There are three types of snap-in to manage certificates:

  • My user account: manage certificates related to your account (personal certificate);
  • Service account: manage certificates related to a service (IIS, LDAP etc.);
  • Computer account: manage certificates related to the computer (or remote computer).

I select computer account for WinRM using.

Then right click on personal store (or certificates as below) and select All Tasks and Request New Certificate.

On the first screen, click on Next.

Select the Active Directory Enrollment Policy and click on Next.

Select the certificate template that you have configured previously. So I select the certificate template WinRM that I have configured on the previous part.

And that’s all. The enrollment is in progress.

At the end of the enrollment, you should have the certificate in your personal store.


With Active Directory Certificate Services, it is possible to make Auto-Enrollment to avoid manual steps as above. In this way all machines where you have set auto-enrollment will obtain a certificate automatically. To configure auto-enrollment, your certificate template must have the security permissions set correctly (view previous part).

Next setting is set in GPO. So open gpmc.msc from a domain controller or console server and create a new GPO.

Edit the GPO and navigate to Computer Configuration > Policies > Windows Settings > Public Key Services. Edit Certificate Services Client Auto-Enrollment policy. Set settings as below.

Next, apply the GPO where you want servers make auto-enrollment. On my side I want that all my servers obtain a certificate to configure WinRM over HTTPS everywhere. So I link the GPO on domain level.

Next I’m connecting to a server. I open a mmc as above. As you can see, no certificate are present on this server.

So I run a gpupdate in order to refresh GPO on this server. My GPO is applied and I obtain certificates. I have another certificate for OCSP signing. It is because I set another certificate template to auto-enroll OCSP server (for the next part J).

If I open a certification authority console on the Sub CA and I navigate to issued certificates, I obtain that:

So it is working well. Now you know how to deploy a PKI and how to deploy a certificate. No excuse to not use HTTPS, IPsec or other way to encrypt communicationJ. Next part I will talk about OCSP responder.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s