Enrolling Certificates with Templates
Applies To: Windows Server 2008, Windows Server 2008 R2
The domain membership of computers for which you want to enroll certificates affects the certificate enrollment method that you can choose. Certificates for domain member computers can be enrolled automatically, whereas an administrator must enroll certificates for non-domain member computers by using the Active Directory Certificate Services (AD CS) Web enrollment tool or a floppy disk or compact disc.
Domain member certificate enrollment
If your virtual private network (VPN) server, Network Policy Server (NPS) server, or client running Windows 2000, Windows XP, or Windows Vista is a member of a domain running Windows Server 2008 or Windows Server 2003 and Active Directory Domain Services (AD DS), you can configure the autoenrollment of computer and user certificates. After autoenrollment is configured and enabled, all domain member computers receive computer certificates when Group Policy is next refreshed, whether the refresh is triggered manually with the gpupdate command or by logging on to the domain.
If your computer is a member of a domain where AD DS is not installed, you can install computer certificates manually by requesting them through the Certificates Microsoft Management Console (MMC) snap-in.
Note
Computers running Windows 2000 can autoenroll computer certificates only.
Non-domain member certificate enrollment
Certificate enrollment for computers that are not domain members cannot be performed with autoenrollment. When a computer is joined to a domain, a trust is established that allows autoenrollment to occur without administrator intervention. When a computer is not joined to a domain, trust is not established and a certificate is not issued. Trust must be established by using one of the following methods:
An administrator (who is, by definition, trusted) must request a computer or user certificate by using the certification authority (CA) Web enrollment tool.
An administrator must save a computer or user certificate to a floppy disk or portable USB drive, and then install it on the non-domain member computer. Or, when the computer is not accessible to the administrator — for example, a home computer connecting to an organization network with an Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPsec) VPN connection — a domain user whom the administrator trusts can install the certificate.
An administrator can distribute a user certificate on a smart card (computer certificates are not distributed on smart cards).
Many network infrastructures contain VPN and NPS servers that are not domain members. For example, a VPN server in a perimeter network might not be a domain member for security reasons. In this case, a computer certificate with the Server Authentication purpose contained in the EKU extensions must be installed on the non-domain member VPN server before it can successfully negotiate L2TP/IPsec-based VPN connections with clients. If the non-domain member VPN server is used as an endpoint for a VPN connection with another VPN server, Enhanced Key Usage (EKU) extensions must contain both the Server Authentication and Client Authentication purposes.
If you are running an enterprise certification authority (CA) on a computer running Windows Server 2008 or Windows Server 2003, Standard Edition, you can use the following table to determine the best certificate enrollment method for your requirements.
| Object and domain membership | Certificate template | Certificate purposes | Preferred certificate enrollment method | Alternate certificate enrollment method |
|---|---|---|---|---|
VPN, Internet Authentication Service (IAS), or NPS server, domain member |
Computer |
Server Authentication |
Autoenrollment |
Request a certificate by using the Certificates snap-in |
VPN server with site-to-site connection, domain member |
Computer |
Server Authentication and Client Authentication |
Autoenrollment |
Request a certificate by using the Certificates snap-in |
Client running Windows Vista or Windows XP, domain member |
Computer |
Client Authentication |
Autoenrollment |
Request a certificate by using the Certificates snap-in |
VPN, IAS, or NPS server, non-domain member |
Computer |
Server Authentication |
CA Web enrollment tool |
Install from a floppy disk or portable USB drive |
VPN server with site-to-site connection, non-domain member |
Computer |
Server Authentication and Client Authentication |
CA Web enrollment tool |
Install from a floppy disk or portable USB drive |
Client running Windows Vista or Windows XP, non-domain member |
Computer |
Client Authentication |
CA Web enrollment tool |
Install from a floppy disk or portable USB drive |
User, domain user |
User |
Client Authentication |
Autoenrollment |
Use a smart card or the CA Web enrollment tool |
If your enterprise CA is on a computer running one of the following operating systems, the RAS and IAS Servers and Workstation Authentication templates are available for use:
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition
Windows Server 2003, Enterprise Edition for Itanium-based Systems
Windows Server 2003, Datacenter Edition for Itanium-based Systems
Windows Server 2003, Enterprise x64 Edition
Windows Server 2003, Datacenter x64 Edition
Windows Server 2008
Use the following table to determine when to use these templates.
| Object and domain membership | Certificate template | Certificate purpose | Preferred certificate enrollment method | Alternate certificate enrollment method |
|---|---|---|---|---|
VPN, IAS, or NPS server, domain member |
RAS and IAS Server |
Server Authentication |
Autoenrollment |
Request a certificate by using the Certificates snap-in |
Client running Windows Vista or Windows XP, domain member |
Workstation Authentication |
Client Authentication |
Autoenrollment |
Request a certificate by using the Certificates snap-in |
VPN, IAS, or NPS server, non-domain member |
RAS and IAS Server |
Server Authentication |
CA Web enrollment tool |
Install from a floppy disk or portable USB drive |
Client running Windows Vista or Windows XP, non-domain member |
Workstation Authentication |
Client Authentication |
CA Web enrollment tool |
Install from a floppy disk or portable USB drive |
Important
If your server running NPS is not a domain controller but is a member of a domain with a Windows 2000 mixed functional level, you must add the server to the access control list (ACL) of the RAS and IAS Server certificate template. You must also configure the correct permissions for autoenrollment. There are different procedures for adding single servers and groups of servers to the ACL.
To add an individual server to the ACL for the RAS and IAS server certificate template
In the Certificate Templates snap-in, select the template RAS and IAS server, and then add the NPS server to the template Security properties.
After you have added your NPS server to the ACL, grant Read, Enroll, and Auto-enroll permissions.
To manage a group of servers, add the servers to a new global or universal group, and then add the group to the ACL of the certificate template
In the Active Directory Users and Computers snap-in, create a new global or universal group for NPS servers.
Add to the group all computers that are NPS servers, and that are members of a domain with a Windows 2000 mixed functional level, but that are not domain controllers.
In the Certificate Templates snap-in, select the RAS and IAS server template, and then add the group you created to the template Security properties.
Grant Read, Enroll, and Auto-enroll permissions.