What is Certificate Enrollment and how is it used?
Certificate enrollment is the process by which a user requests a digital certificate from a Certificate Authority (CA). There are several methods for enabling certificate enrollment ranging from manual methods that are initiated by a user performing the certificate request to automatic methods where the certificate request is initiated by Group Policy or a login script. Manual enrollment is not well suited for mass certificate deployment because of the amount of time an organization must spend training personnel to use such a method. In contrast, Autoenrollment, on the other hand, lowers the cost of a PKI by reducing the time and effort required to deploy certificates.
Certificate Enrollment Methods
-
Certificate Services Web Enrollment Pages
Certificate Services Web Enrollment pages allow a user to request both user and computer certificates from a Web browser. Certificate Services Web Enrollment pages allow the requestor to ask for specific certificate templates from an enterprise CA, submit certificate request files from a network device or another operating system and check on pending certificate requests.
-
Certificate Enrollment wizard
This wizard permits a user to request certificates from an enterprise CA by selecting the enterprise CA and the certificate template and defining additional settings, such as key length and CSP. The wizard can be launched from the Certificates Microsoft Management Console (MMC) console.
-
Automatic Certificate Request Settings (ACRS)
This Group Policy setting allows the automatic deployment of version 1 computer certificates to computer accounts in the forest. The computer account must be in the domain or organizational unit (OU) where the Automatic Certificate Request Settings is defined. In addition, the computer account must belong to a group that is assigned the Read and Enroll permissions for the version 1 certificate template.
-
Autoenrollment settings
This combination of version 2 and version 3 certificate templates and Group Policy settings allows the automatic deployment of certificates to users and computers. All computers or user accounts within the domain or OU where the Autoenrollment Settings Group Policy setting is applied automatically receive any published version 2 or version 3 certificate templates to which the user or computer account is assigned Read, Enroll, and Autoenroll permissions. Autoenrollment can be used for initial certificate deployment as well as for certificate renewal.
-
Certreq.exe
This command-line tool allows a user to create, submit, retrieve, and accept certificate requests sent to a Windows Server CA. The requests can be sent to both standalone and enterprise CAs.
-
Network Device Enrollment Service (NDES)
NDES is a new Certificate Services role service that enables enrollment through Simple Certificate Enrollment Protocol (SCEP), an open-source certificate management protocol.
-
Registration authorities
Registration authorities allow custom workflows to be defined for certificate life-cycle management tasks. A registration authority ensures that any required data collection and approvals are collected before a certificate management task is processed.
Automatic Enrollment
Before enrolling a certificate manually, automatically, or through a scripting method, you must ensure that the certificate templates are available for enrollment at a CA.
Two methods for automatically deploying certificates to users and computers are:
-
Automatic Certificate Request Settings
Automatic Certificate Request Settings (ACRS) is an automated enrollment process to distribute certificates automatically, but the supported scenarios are limited:
- Certificates can be distributed to computers running Windows 2000 and later that are domain members.
- Only version 1 certificate templates can be distributed.
- Certificates cannot be distributed to user accounts. Although limited, ACRS is useful for distributing Computer or IPsec certificates to all computers in a domain
-
Autoenrollment Settings
Autoenrollment Settings is a combination of Group Policy settings and version 2 or version 3 certificate templates. The combination allows the domain member client computer to automatically enroll user or computer certificates.
Enrollment Protocols
-
SCEP
Simple Certificate Enrollment Protocol (SCEP) is an open-source certificate management protocol that is used for automating the task of certificate issuance.
-
EST
Enrollment over Secure Transport protocol (EST) is the evolution of SCEP and uses Transport Layer Security (TLS) for client-side device authentication.
-
ACME
Automated Certificate Management Environment (ACME) provides an efficient way to validate that a certificate requester is authorized for the requested domain and automatically installs the certificates
Conclusion
Generally, automatic enrollment is preferred by organizations; however, if the requestor cannot communicate directly with the CA or the device does not support auto-enrollment, the manual enrollment method can be opted for.