@LotfiBOUCHERIT-4930
Server certificate deployment process overview
**Note-**The details of how to perform these steps are provided in the section Server Certificate Deployment.
- The process of configuring server certificate enrollment occurs in these stages:
- On WEB1, install the Web Server (IIS) role.
- On DC1, create an alias (CNAME) record for your Web server, WEB1.
- Configure your Web server to host the CRL from the CA, then publish the CRL and copy the Enterprise Root CA certificate into the new virtual directory.
- On the computer where you are planning to install AD CS, assign the computer a static IP address, rename the computer, join the computer to the domain, and then log on to the computer with a user account that is a member of the Domain Admins and Enterprise Admins groups.
- On the computer where you are planning to install AD CS, configure the CAPolicy.inf file with settings that are specific to your deployment.
- Install the AD CS server role and perform additional configuration of the CA.
- Copy the CRL and CA certificate from CA1 to the share on the Web server WEB1.
- On the CA, configure a copy of the RAS and IAS Servers certificate template. The CA issues certificates based on a certificate template, so you must configure the template for the server certificate before the CA can issue a certificate.
- Configure server certificate autoenrollment in Group Policy. When you configure autoenrollment, all servers that you have specified with Active Directory group memberships automatically receive a server certificate when Group Policy on each server is refreshed. If you add more servers later, they will automatically receive a server certificate, too.
- Refresh Group Policy on servers. When Group Policy is refreshed, the servers receive the server certificate, which is based on the template that you configured in the previous step. This certificate is used by the server to prove its identity to client computers and other servers during the authentication process. **Note-**All domain member computers automatically receive the Enterprise Root CA's certificate without the configuration of autoenrollment. This certificate is different than the server certificate that you configure and distribute by using autoenrollment. The CA's certificate is automatically installed in the Trusted Root Certification Authorities certificate store for all domain member computers so that they will trust certificates that are issued by this CA.
- Verify that all servers have enrolled a valid server certificate.
refer below url
https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-2.aspx
An administrator may force all users to re-enroll for a given template by updating the major version number of the template. When Active Directory is queried during logon for required certificate templates, the version number is examined. If the version number has incremented, the certificate template is considered to be updated and the user must re-enroll for that template.
To manually force the template version to be updated (thereby forcing re-enrollment): right-click the template and select Reenroll All Certificate Holders
Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.