How to Create User and Computer Certificates with Auto-enrollment Using Server 2012 R2

In this article, I will walk through how to create user and machine certificates using Microsoft Windows Server 2012 R2. We will also take a look at how to enable auto-enrollment of certificates to users and machines. This post is particularly useful if you would like to create User and Computer certificates for authentication against Cisco Identity Services Engine (ISE).

The methods I have used in this particular article may differ depending on your active directory groups and group policies but in theory, you should be able to apply the same principles and achieve the same results.

This article assumes you already have a CA running within your server environment along with a user to test enrolment of certificates.

Create Certificate Templates

The first thing we need to do is to create certificate templates. Default templates do exist but it’s easier to duplicate them and change the settings to what you need for your environment.

On Server 2012, open your server manager dashboard and select Tools > Certification Authority. This should open the Certification Authority as shown in the screenshot below.

Expand your CA until you see ‘Certificate Templates‘. Right-click ‘Certificate Templates’ and click ‘Manage’ to manage the templates.

You should be presented with the ‘Certificate Templates Console’ as shown in the screenshot below.

We will start off by duplicating the user template. The following settings are based on the video demonstration I have given, feel free to specify the required settings for your organisation.

Find ‘User’ and right-click and select ‘Duplicate Template’. Enter the following settings:

  • General Tab > Template display name: User-Template
  • Subject Name: Choose the settings shown in the screenshot below

Note: The fields you have selected for the subject name must be populated for your users. If the fields are not populated the certificates may not be issued. (Check out my video at the bottom of the screen as I demonstrate this).

  • Security: Select the relevant user groups for your domain and select the permissions shown in the screenshot below

Extensions: Click Edit > Add and select ‘Server Authentication’ followed by ‘OK’. You’ll see the following screenshot. Then click ‘OK’ and ‘Apply’ to complete the user template.

Now we will create the machine template by duplicating the ‘Workstation Authentication’ template. Now configure the following settings:

  • General Tab > Template display name: Machine-Template
  • Subject Name: Choose the settings shown in the screenshot below
  • Security: Select the relevant user groups for your domain and select the permissions shown in the screenshot below

Extensions: Click Edit > Add and select ‘Server Authentication’ followed by ‘OK’. You’ll see the following screenshot. Then click ‘OK’ and ‘Apply’ to complete the user template.

That should complete the creation of both user and computer templates. Now we need to add the certificate templates to the local CA. To do this head back to your CA screen and right-click ‘Certificate Templates’ > New > Certificate Template to Issue as shown in the screenshot below.

Locate the two templates you just created and with them both selected press ‘OK’ to enable the two new certificate templates. Once enabled you should see them within the certificate templates in your CA as shown in the screenshot below.

Configure Auto-enrollment of Certificates

With our User and Machine certificate templates created we need a way to push them to our machines and users. To do this we can use auto-enrolment, this is disabled by default but is fairly straight-forward to enable.

To enable auto-enrollment on your Server Manager click Tools > Group Policy Management. Once Group Policy Management opens expand your forest until you reach the ‘Default Domain Policy’. If you already have other policies configured feel free to use those, the same theory should apply.

Right-click on the ‘Default Domain Policy’ and ‘Edit’, we will start by enabling auto-enrollment for the machines. Click Computer Configuration > Windows Settings > Security Settings > Public Key Policies and you should be able to see ‘Certificate Services Client – Auto-Enrollment’ at the bottom of the screen, as shown in the screenshot below.

Double-click on
‘Certificate Services Client – Auto-Enrollment’ and enter the following settings

That completes auto-enrollment for machines, now follow the same principles for enabling auto-enrolment for users.

Testing & Troubleshooting

We’re all set! We should be able to test and confirm that our machines and users are indeed automatically getting certificates.

With a device that is joined to your domain, log into the device with a domain user. Once logged in, press the Windows button and type ‘MMC’. Once opened click File > Add/Remove Snap-in and select ‘Certificates’. A snap-in window should appear like the one in the screenshot below.

Start by selecting ‘My user account‘ and then click ‘Add’ again to select ‘Computer account’. When selecting the computer account, select ‘Local Computer’ and click ‘Ok’ to finish adding the snap-ins. You should now have a screen like the screenshot below.

Doubleclick on Certificates – Current User > Personal > Certificates and if all has gone to plan you should see the certificate that has been assigned to the user. You can also do the same to check the machine certificate.

If you encounter issues you should check the server CA failed requests, pending requests and issued certificates. All this information is provided towards the end of my video below.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.