Certificate autoenrollment in Windows Server 2003, Windows XP, and Windows 2000 automatically creates certificates for users and machines. Autoenrollment handles certificate enrollment, certificate renewal, and certain housekeeping tasks, such as removing revoked certificates from a user's or machine's certificate store and downloading trusted root Certification Authority (CA) certificates and cross-certificates (a new way to set up CA trust relationships in Windows 2003) from Active Directory (AD). Win2K public key infrastructure (PKI) supports certificate autoenrollment only for machine certificates and Encrypting File System (EFS) user certificates. Fortunately, Windows 2003 PKI extends certificate autoenrollment for users to all certificate types.
Windows PKI uses certificate autoenrollment several ways:
- Every Windows 2003 and Win2K domain controller (DC) automatically receives a DC certificate when the machine joins a domain in which an enterprise CA is defined.
- An administrator can set a Group Policy Object (GPO) setting that automatically enrolls machines for IP Security (IPSec) or Secure Sockets Layer (SSL) certificates.
- An administrator can set a GPO setting that automatically enrolls several users for a user or secure-mail certificate.
- A CA administrator who wants to change a property of a particular certificate type can duplicate the old certificate template to create a new certificate template and let the new template supersede the old one. Autoenrollment then automatically distributes to the appropriate PKI users a new certificate based on the new template.
- An administrator can automate the creation of certificates for new users.
Certificate autoenrollment requires additional client-side code. At press time, Microsoft bundled only user autoenrollment client logic with Windows 2003 and XP, but the company will soon introduce machine autoenrollment client logic for Windows 2003, XP, and Win2K. User and machine autoenrollment requires that the machine and user be part of an AD domain.
Let's look at how to set up user and machine certificate autoenrollment in a Windows 2003 PKI environment. Let's also look at some of autoenrollment's nuts and bolts.
How Autoenrollment Works
The Winlogon process triggers certificate autoenrollment (i.e., the autoenrollment event). The Winlogon process is initiated every time a user performs an interactive logon and every time an administrator applies machine- or user-based group policies. By default, the process applies group policies every 90 minutes. You can trigger GPO updates manually, and unlocking a workstation doesn't trigger a certificate autoenrollment event.
During an autoenrollment event, the client OS queries AD to download the content of a set of predefined certificate stores to the local store on the client machine. These stores include NTAuth, the trusted root CA, certificate templates, and Authority Information Access (AIA—for cross-certificates) AD containers. Both the NTAuth and trusted root CA containers download trustworthy CA certificates to Windows domain clients. The certificate templates container contains a definition of all certificate types that the forest supports. The AIA container lets enterprise PKI users download trusted CA certificates from AD. Autoenrollment then processes the certificate templates, analyzes their properties, and creates a requirements list of tasks to be performed during the autoenrollment event. The requirements list includes the following:
- Certificate enrollment tasks—Autoenrollment adds all templates that have autoenroll and read permissions set for the current machine or user.
- Certificate renewal tasks—Autoenrollment processes the user's or machine's MY certificate store container to look for expired certificates or certificates that are about to expire and adds these certificates to the requirements list. Automatic certificate renewal starts when 80 percent of the certificate's lifetime has passed or when the renewal interval period specified in the certificate template has been reached. The latter is specified on the General tab of a Version 2 certificate template in Windows 2003.
- Certificate enrollment tasks based on template supersede rules—Autoenrollment evaluates certificate template supersede rules and makes the appropriate additions and deletions to the requirements list. Therefore, if a new certificate template superseded a particular template, the process adds an autoenrollment task for the newer template to the requirements list.
The autoenrollment process then searches AD for an enterprise CA that can issue the certificates. If it finds a CA, it passes the requirements list to the CA, which processes the certificate-enrollment and renewal requests. If the CA issues a certificate, the autoenrollment process installs it in the user's or machine's MY certificate store container. If the certificate's state is set to pending (for certificate requests that require administrator approval), the autoenrollment process saves the request information in the user's or machine's certificate enrollment request store.
At the end of the autoenrollment process, the outcome (success or failure) of the process is logged in the local system's Application event log. If autoenrollment fails, a summary dialog box appears.
You can configure the autoenrollment process to log more verbose information and events in the Application event log. Simply set the AEEventLogLevel registry subkey (of type REG_DWORD) to a value of 0 in the following registry subkeys:
- HKEY_CURRENT_USER\Software\Microsoft\Cryptography\AutoEnrollment (for user autoenrollment)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment (for machine autoenrollment)
Autoenrollment events trigger more than just certificate autoenrollment. They also download trusted root CA certificates from the AD-based CAs and NTAuth stores to the local machine's Trusted Root Certification Authorities certificate store. The autoenrollment process doesn't download the complete NTAuth store, however; it downloads only the differences in the content between the user certificate and the NTAuth store.
Autoenrollment events download cross-certificates from AD to the local machine's certificate store. As with trusted root CA certificates, the process downloads only the changes. Autoenrollment also enumerates the pending certificate requests in the user's certificate enrollment request store. After the CA issues the certificate, the process downloads the certificate and installs it in the user's certificate store. If the request has been pending for more than 60 days, the process removes the request from the user's request store.
The autoenrollment process also deletes expired and revoked certificates in the user certificate attribute of the user's AD object and in the user's local machine certificate store. The latter occurs only if you select the Delete revoked or expired certificates property on the Request Handling tab in the certificate template properties.