Enabling Auto-Enrollment

The Server Suite Agent uses the Microsoft Windows certificate auto-enrollment feature to make certificates available to UNIX computers. If auto-enrollment is enabled, when a UNIX computer joins a domain, the Server Suite Agent requests certificates from the CA based on particular templates, and installs them on the joined computer.

To enable auto-enrollment, you must do the following:

  • Enable auto-enrollment for the group policy.
  • Create a certificate template with auto-enrollment enabled.

Enabling Auto-Enrollment for the Group Policy

To enable auto-enrollment for the group policy:

  1. Open the Group Policy Management Editor and select the group policy object that defines IPsec policies.

    Click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto Enrollment.

  2. Double-click Certificate Services Client - Auto-Enrollment, select Enabled, and check the following boxes:

    • Renew expired certificate, update pending certificates, and remove revoked certificates
    • Update certificates that use certificate templates

  3. Click OK to save the auto-enrollment settings.

Creating a Certificate Template

To configure a template with auto-enrollment:

  1. Open the MMC Certificate Template snap-in.

    Another way to open the Certificate Template console is to open the Certification Authority console, right-click Certificate Templates, and select Manage.

  2. Select a template, then right-click and select Duplicate Template to create a new template that you can modify.

    For example, select the Workstation Authentication template.

  3. On the Properties page for the new template, do the following:

    1. Select the General tab and enter a name for the template.
    2. Select the Security tab and select Domain Computers. Then select Read and Autoenroll permissions.
    3. Select the Subject Name tab. For Subject name format, select Fully distinguished name.
    4. Select the Extensions tab. Then select Application Policies.
    5. Click Edit. Client Authentication should already be shown.
    6. Click Add, then scroll and select Server Authentication.
    7. Click OK.

  4. Click OK to save the new template.