Enabling Auto-Enrollment
The Server Suite Agent uses the Microsoft Windows certificate auto-enrollment feature to make certificates available to UNIX computers. If auto-enrollment is enabled, when a UNIX computer joins a domain, the Server Suite Agent requests certificates from the CA based on particular templates, and installs them on the joined computer.
To enable auto-enrollment, you must do the following:
- Enable auto-enrollment for the group policy.
- Create a certificate template with auto-enrollment enabled.
Enabling Auto-Enrollment for the Group Policy
To enable auto-enrollment for the group policy:
-
Open the Group Policy Management Editor and select the group policy object that defines IPsec policies.
Click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto Enrollment.
-
Double-click Certificate Services Client - Auto-Enrollment, select Enabled, and check the following boxes:
- Renew expired certificate, update pending certificates, and remove revoked certificates
- Update certificates that use certificate templates
-
Click OK to save the auto-enrollment settings.
Creating a Certificate Template
To configure a template with auto-enrollment:
-
Open the MMC Certificate Template snap-in.
Another way to open the Certificate Template console is to open the Certification Authority console, right-click Certificate Templates, and select Manage.
-
Select a template, then right-click and select Duplicate Template to create a new template that you can modify.
For example, select the Workstation Authentication template.
-
On the Properties page for the new template, do the following:
- Select the General tab and enter a name for the template.
- Select the Security tab and select Domain Computers. Then select Read and Autoenroll permissions.
- Select the Subject Name tab. For Subject name format, select Fully distinguished name.
- Select the Extensions tab. Then select Application Policies.
- Click Edit. Client Authentication should already be shown.
- Click Add, then scroll and select Server Authentication.
- Click OK.
-
Click OK to save the new template.