Share via


Enrolling Certificates with Templates

Applies To: Windows Server 2008, Windows Server 2008 R2

The domain membership of computers for which you want to enroll certificates affects the certificate enrollment method that you can choose. Certificates for domain member computers can be enrolled automatically, whereas an administrator must enroll certificates for non-domain member computers by using the Active Directory Certificate Services (AD CS) Web enrollment tool or a floppy disk or compact disc.

Domain member certificate enrollment

If your virtual private network (VPN) server, Network Policy Server (NPS) server, or client running Windows 2000, Windows XP, or Windows Vista is a member of a domain running Windows Server 2008 or Windows Server 2003 and Active Directory Domain Services (AD DS), you can configure the autoenrollment of computer and user certificates. After autoenrollment is configured and enabled, all domain member computers receive computer certificates when Group Policy is next refreshed, whether the refresh is triggered manually with the gpupdate command or by logging on to the domain.

If your computer is a member of a domain where AD DS is not installed, you can install computer certificates manually by requesting them through the Certificates Microsoft Management Console (MMC) snap-in.

Note

Computers running Windows 2000 can autoenroll computer certificates only.

Non-domain member certificate enrollment

Certificate enrollment for computers that are not domain members cannot be performed with autoenrollment. When a computer is joined to a domain, a trust is established that allows autoenrollment to occur without administrator intervention. When a computer is not joined to a domain, trust is not established and a certificate is not issued. Trust must be established by using one of the following methods:

  • An administrator (who is, by definition, trusted) must request a computer or user certificate by using the certification authority (CA) Web enrollment tool.

  • An administrator must save a computer or user certificate to a floppy disk or portable USB drive, and then install it on the non-domain member computer. Or, when the computer is not accessible to the administrator — for example, a home computer connecting to an organization network with an Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPsec) VPN connection — a domain user whom the administrator trusts can install the certificate.

  • An administrator can distribute a user certificate on a smart card (computer certificates are not distributed on smart cards).

Many network infrastructures contain VPN and NPS servers that are not domain members. For example, a VPN server in a perimeter network might not be a domain member for security reasons. In this case, a computer certificate with the Server Authentication purpose contained in the EKU extensions must be installed on the non-domain member VPN server before it can successfully negotiate L2TP/IPsec-based VPN connections with clients. If the non-domain member VPN server is used as an endpoint for a VPN connection with another VPN server, Enhanced Key Usage (EKU) extensions must contain both the Server Authentication and Client Authentication purposes.

If you are running an enterprise certification authority (CA) on a computer running Windows Server 2008 or Windows Server 2003, Standard Edition, you can use the following table to determine the best certificate enrollment method for your requirements.

Object and domain membership Certificate template Certificate purposes Preferred certificate enrollment method Alternate certificate enrollment method

VPN, Internet Authentication Service (IAS), or NPS server, domain member

Computer

Server Authentication

Autoenrollment

Request a certificate by using the Certificates snap-in

VPN server with site-to-site connection, domain member

Computer

Server Authentication and Client Authentication

Autoenrollment

Request a certificate by using the Certificates snap-in

Client running Windows Vista or Windows XP, domain member

Computer

Client Authentication

Autoenrollment

Request a certificate by using the Certificates snap-in

VPN, IAS, or NPS server, non-domain member

Computer

Server Authentication

CA Web enrollment tool

Install from a floppy disk or portable USB drive

VPN server with site-to-site connection, non-domain member

Computer

Server Authentication and Client Authentication

CA Web enrollment tool

Install from a floppy disk or portable USB drive

Client running Windows Vista or Windows XP, non-domain member

Computer

Client Authentication

CA Web enrollment tool

Install from a floppy disk or portable USB drive

User, domain user

User

Client Authentication

Autoenrollment

Use a smart card or the CA Web enrollment tool

If your enterprise CA is on a computer running one of the following operating systems, the RAS and IAS Servers and Workstation Authentication templates are available for use:

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Enterprise Edition for Itanium-based Systems

  • Windows Server 2003, Datacenter Edition for Itanium-based Systems

  • Windows Server 2003, Enterprise x64 Edition

  • Windows Server 2003, Datacenter x64 Edition

  • Windows Server 2008

Use the following table to determine when to use these templates.

Object and domain membership Certificate template Certificate purpose Preferred certificate enrollment method Alternate certificate enrollment method

VPN, IAS, or NPS server, domain member

RAS and IAS Server

Server Authentication

Autoenrollment

Request a certificate by using the Certificates snap-in

Client running Windows Vista or Windows XP, domain member

Workstation Authentication

Client Authentication

Autoenrollment

Request a certificate by using the Certificates snap-in

VPN, IAS, or NPS server, non-domain member

RAS and IAS Server

Server Authentication

CA Web enrollment tool

Install from a floppy disk or portable USB drive

Client running Windows Vista or Windows XP, non-domain member

Workstation Authentication

Client Authentication

CA Web enrollment tool

Install from a floppy disk or portable USB drive

Important

If your server running NPS is not a domain controller but is a member of a domain with a Windows 2000 mixed functional level, you must add the server to the access control list (ACL) of the RAS and IAS Server certificate template. You must also configure the correct permissions for autoenrollment. There are different procedures for adding single servers and groups of servers to the ACL.

To add an individual server to the ACL for the RAS and IAS server certificate template

  1. In the Certificate Templates snap-in, select the template RAS and IAS server, and then add the NPS server to the template Security properties.

  2. After you have added your NPS server to the ACL, grant Read, Enroll, and Auto-enroll permissions.

To manage a group of servers, add the servers to a new global or universal group, and then add the group to the ACL of the certificate template

  1. In the Active Directory Users and Computers snap-in, create a new global or universal group for NPS servers.

  2. Add to the group all computers that are NPS servers, and that are members of a domain with a Windows 2000 mixed functional level, but that are not domain controllers.

  3. In the Certificate Templates snap-in, select the RAS and IAS server template, and then add the group you created to the template Security properties.

  4. Grant Read, Enroll, and Auto-enroll permissions.