Enable Auto Enrollment to Avoid Expiring Certificates - TechNet Articles - United States (English) - TechNet Wiki

Its common that sometimes few admins miss the renewal of some key certificates in their Microsoft internal PKI (Public Key Infrastructure), this is due to the fact that its a bit of manual task and you need to set manually some Outlook reminders ="r3 fiji-r3">

Enable Auto Enrollment to Avoid Expiring Certificates

Its common that sometimes few admins miss t(My favorite method) or run schedules tasks to remind you before the Certificate expiration date.


However if you a user that logs frequently on this CA (Certificate Authority) server we can enable Auto Enrollment for this user. After configuring it, we don’t need to worry about the expiring certificates as long as the specific user still logs onto the CA.


To Enable Auto Enrollment you need to do the following:


  1. Right click on the Certificate Template where you need to enable the Auto Enrollment feature
  2. On the Security Tab (Check below image), add a specific user or grant an existing user the Auto Enroll permission (In my case i picked a normal low privileged service account that connects periodically on the server at least each month for maintenance and installing latest windows updates).                                                                                                                                                                                                                                                                        

                                                                                                                                                             
  3. Publish the Template and issue the needed certificate.
  4. Open the Group Policy Management (On your Domain Controller) and either create a new Group policy or simply edit the Default Domain Policy
  5. Navigate to User Configuration - Policies - Windows Settings - Security Settings - Public Key Policy and enable Autoenrollment as shown below. 


This user with the Autoenroll feature enabled when logged in on the CA server will get notified and the certificate will get enrolled and the Certificate won't get expired.

For More details and PKI articles please check my blog http://itcalls.blogspot.com/
http://itcalls.blogspot.com/2013/08/enable-auto-enrollment-to-avoid.html