Certificate Deployment Overview
Applies To: Windows Server 2008 R2
The following illustration shows the components that are required to deploy client computer and user certificates.
Client computer and user certificate deployment components
The following components are required to deploy client computer and user certificates:
The enterprise root certification authority (CA) is also an issuing CA. The CA issues certificates to computers and users that have the correct security permissions to enroll a certificate. Active Directory Certificate Services (AD CS) is installed on CA-01.
In this scenario, the enterprise root CA is also an issuing CA. For larger networks or where security concerns justify it, you can separate the roles of root CA and issuing CA, and deploy subordinate CAs that are issuing CAs.
In the most secure deployments, the enterprise root CA is taken offline and physically secured. For more information, see Additional Resources.
Copy of the User certificate template
When you deploy user certificates, you make a copy of the User certificate template and then configure the template according to your requirements and the instructions in this guide. You will be using a copy rather than the original so that the configuration of the original template is preserved for possible future use. The CA uses the copy of the user template to create user certificates that it issues to users that are members of the Domain Users group in Active Directory Users and Computers.
Copy of the Workstation Authentication certificate template
When you deploy computer certificates, you make a copy of the Workstation Authentication certificate template and then configure the template according to your requirements and the instructions in this guide. You will be using a copy rather than the original so that the configuration of the original template is preserved for possible future use. The CA uses the copy of the certificate template to create computer certificates that it issues to computers that are members of the Domain Computers group in Active Directory Users and Computers.
After you configure the certificate templates on the CA, you can configure the default domain policy in Group Policy so that certificates are autoenrolled to users, computers, or both. Group Policy is configured in AD DS on the server AD-DNS-01.
Computer and user certificate deployment process
The process of configuring computer and user certificate enrollment occurs in these stages:
Install the AD CS server role as an enterprise root issuing CA. This step is required only if you have not already deployed a CA on your network. Instructions for installing AD CS as an enterprise root CA are included in the Core Network Companion Guide: Deploying Server Certificates, which is available in the Windows Server 2008 and Windows Server 2008 R2 Technical Library (http://go.microsoft.com/fwlink/?LinkId=159639). For more information, see Additional Resources.
On CA-01, configure copies of the computer and user certificate templates and add them to the CA. The CA issues certificates based on these certificate templates, so you must configure the templates for the computer and user certificates, and then add them to the CA, before the CA can issue them.
On AD-DNS-01, configure computer and user certificate autoenrollment in Group Policy. When you configure the autoenrollment of computer certificates, user certificates, or both, all domain member computers, domain users, or both will automatically receive a certificate when Group Policy on the user's computer is refreshed. If you add more computers or users later, they will automatically receive a certificate.
If you removed the Domain Users or Domain Computers groups from the certificate template ACL and replaced these groups with custom groups that you created in Active Directory Users and Computers, certificates will be enrolled only to the members of your custom groups.
Refresh Group Policy on domain member computers. When Group Policy is refreshed:
If you have deployed computer certificates, the domain member computer enrolls a computer certificate that is based on the template that you configured in the previous step.
If you have deployed user certificates, the domain user enrolls a user certificate that is based on the template that you configured in the previous step.
If you have deployed both user and computer certificates, the domain member computer enrolls a computer certificate and the user enrolls a user certificate that are based on the templates that you configured in the previous step.
Because you have already deployed server certificates, the CA certificate already exists in the Trusted Root Certification Authorities folder in the certificate store for both the Current User and the Local Computer.
Group Policy is automatically refreshed if you restart the domain member computer, or if a user logs on to a domain member computer. In addition, Group Policy is periodically refreshed. By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes.