You can configure the policy module to automatically approve all certificate requests or to mark requests as pending until an administrator can review and act upon the request. The choice will likely depend on the security implications of the certificates being issued, the intended recipients of the certificates, and other factors.
You must be a certification authority (CA) administrator to complete this procedure. For more information, see Implement Role-Based Administration.
|To set the default action upon receipt of a certificate request|
Open the Certification Authority snap-in.
In the console tree, click the name of the CA.
On the Action menu, click Properties.
On the Policy Module tab, click Properties.
Click the option you want:
- To have the CA administrator review every
certificate request before issuing a certificate, click Set the
certificate request status to pending.
- To have the CA issue certificates based on
the configuration of the certificate template, click Follow the
settings in the certificate template, if applicable. Otherwise,
automatically issue the certificate.
- To have the CA administrator review every certificate request before issuing a certificate, click Set the certificate request status to pending.
Stop and restart the CA.
In most cases, for security reasons, it is recommended that all incoming certificate requests to a stand-alone CA be marked as pending. Unlike enterprise CAs, stand-alone CAs do not use Active Directory Domain Services (AD DS), even if it is available, to verify that an individual or computer is authorized to be issued a certificate from the CA automatically. For stand-alone CAs, the CA administrator is responsible for verifying the identity of the certificate requester.
If you change the setting from Set the certificate request status to pending to Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate, this will apply only to certificate requests submitted to the CA after the default action has been changed. If there are pending requests held by the CA, these requests will remain pending until the CA administrator issues the certificates or denies the requests.