This topic describes the procedures and applications used to add enrollment policy servers and manage enrollment policies by using the Certificates snap-in. These procedures can be used to configure enrollment policies that enable users to request certificates from commercial certification authorities (CAs) offering certificate enrollment services on the Internet or enterprise CAs within an organization.

Configuring certificate enrollment policy settings

The Certificate Enrollment Policy Server dialog box is used to add enrollment policy servers and can be opened by using either the Manage Enrollment Policies dialog box or the Certificate Enrollment wizard.

To configure certificate enrollment policy settings
  1. Click Start, type certmgr.msc in the Search programs and files box, and press ENTER.

  2. In the console tree, click Personal.

  3. Do one of the following:

    • On the Action menu, point to All Tasks, point to Advanced Operations, and then click Manage Enrollment Policies. Under Certificate enrollment policy list, click Add. For more information about the settings in this dialog box, see the "Manage Enrollment Polices dialog box" table later in this topic.

    • On the Action menu, point to All Tasks, and then click Request New Certificate to start the Certificate Enrollment wizard. Click Next, and then on the Select Certificate Enrollment Policy page, click Add New. For more information about the settings in this dialog box, see the "Certificate Enrollment Policy Server dialog box" table later in this topic.

  4. In the Enter enrollment policy server URI box, type a certificate enrollment policy server URI.

  5. In the Authentication type list, select the authentication type required by the enrollment policy server.

  6. Click Validate, and then review the messages in the Certificate enrollment policy server properties area. The Add button is available only after the enrollment policy server URI and authentication type are validated.

  7. Click Add.

Note

If the added enrollment policy server supports an enrollment policy that is already displayed in Certificate enrollment policy list, then the added server will not be displayed separately. Click Properties to verify that the added enrollment policy server is displayed in the Enrollment policy servers list. For more information about the settings in this dialog box, see the "Certificate Enrollment Policy Server Properties dialog box" table later in this topic.

User interface reference

The following tables describe the settings available in the Manage Enrollment Polices dialog box, the Certificate Enrollment Policy Server dialog box, and the Certificate Enrollment Policy Server Properties dialog box.

Manage Enrollment Policies dialog box

Setting Description

Certificate enrollment policy list

Displays the list of enrollment policies that are included in the policy setting. One of the displayed policies must be specified as the default policy by selecting the Default check box.

Add

Opens the Certificate Enrollment Policy Server dialog box, which is used to add an enrollment policy server.

Remove

Removes the selected enrollment policy and all associated enrollment policy servers from the list.

Properties

Opens the Certificate Enrollment Policy Server Properties dialog box, which displays the policy details and list of enrollment policy servers for the selected enrollment policy.


Certificate Enrollment Policy Server dialog box

Setting Description

Enter enrollment policy server URI

Specifies the URI of the Certificate Enrollment Policy Web Service. The URI must use HTTPS.

Authentication type

Specifies the type of authentication that is used to connect to the specified URI. The specified authentication type must match the authentication type that is required by the Certificate Enrollment Policy Web Service.

The following authentication types are available:

  • Anonymous. No credentials are provided when connecting to the certificate enrollment policy server.

  • Windows integrated. Windows integrated authentication uses the Kerberos protocol and is appropriate for AD DS domain members.

  • Username/password. During certificate enrollment, users will be prompted to enter a user name and password.

  • X.509 Certificate. During certificate enrollment, users will be prompted to select a certificate for authentication.

Validate

Connects to the specified URI by using the specified authentication type to verify the following details:

  • An SSL connection can be made to the enrollment policy server.

  • A valid enrollment policy is returned by the enrollment policy server.

  • The enrollment policy is not already included in the Group Policy setting.

Validation is required for an enrollment policy server URI before it can be added. If the specified URI and authentication type are valid, the enrollment policy identifier and friendly name are displayed. Warning or error messages are displayed if there is a problem with validation.

Add

Adds the enrollment policy server URI and validated enrollment policy to the Group Policy setting. The Add button is available only after the enrollment policy server URI and authentication type are validated.

Certificate Enrollment Policy Server Properties dialog box

Setting Description

Enrollment policy servers list

Displays the list of enrollment policy servers that support the enrollment policy.

Remove

Removes the selected enrollment policy server. If all enrollment policy servers are removed, the enrollment policy will also be removed.

Enable for automatic enrollment and renewal

Specifies that the enrollment policy is used for autoenrollment when autoenrollment is enabled.

On computers running Windows 7 that are not members of a domain, autoenrollment is enabled by default. On computers that are members of a domain, autoenrollment must be enabled in Group Policy. See Managing Certificate Enrollment (http://go.microsoft.com/fwlink/?LinkID=143282) for autoenrollment configuration procedures.

Require strong validation during enrollment

Specifies that enrollment clients require validation of the issuing CA's certification path during enrollment.


Additional references