Configure a certificate template for client autoenrollment

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

To configure a certificate template for client autoenrollment

  1. Open Certificate Templates.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the Security tab, add the users or groups that you want and, under Allow, select the Read, Enroll, and Autoenroll check boxes.

  4. (Optional) To automatically enroll the subject without any more user input, on the Request Handling tab, click Enroll subject without requiring any user input.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Certificate Templates, click Start, click Run, type certtmpl.msc, and then press Enter.

  • This procedure is applicable to version 2 templates. For more information about version 2 templates, see Related Topics.

  • In addition to this procedure, other settings must be configured to allow client autoenrollment. For more information, see Related Topics.

  • Clients must be re-enrolled to receive a certificate based on the changed template if they already have a valid certificate based on the old template. For more information about re-enrolling clients, see Related Topics.

  • When autoenrollment retrieves a certificate that is configured to be stored on a smart card, you will receive a popup message when the certificate is ready to be stored on the smart card. If the message refers to a type of smart card that you do not have, click Cancel until the correct smart card type appears. You then provide the smart card PIN and the certificate will be stored on the smart card.

  • When autoenrollment enrolls for a certificate that requires user interaction for the enrollment process, you will receive a Certificate Enrollment popup message and an icon will appear on your taskbar. Clicking that icon or message begins the certificate autoenrollment process.

See Also

Concepts

Certificate Services example implementation: Establishing autoenrollment for user certificates
Version 2 certificate templates
Planning for autoenrollment deployment
Allowing for autoenrollment
Re-enroll all certificate holders