How to Auto-Enroll Certificates from AD CS

Active Directory Certificate Services (AD CS) is a Windows server software solution designed to issue x.509 digital certificates. Certificates have proven to be more secure and easier to use than passwords, and are commonly used for Wi-Fi, VPN, and web applications.

Microsoft realized the advantages of certificates and aimed to help deploy them in Microsoft environments. However, AD CS has rarely received updates since then and can be tricky to use. Many IT admins run into problems when managing a Public Key Infrastructure (PKI) and enrolling users for certificates.

In this article we’re going to go through the methods to dispel the mystery surrounding certificates through auto-enrolling certificates from AD CS.

How to Set Up Automatic Enrollment in AD CS Natively

AD CS works natively with Microsoft Group Policy (GPO) to deploy certificates on AD-managed devices. To create a group policy for auto-enrollment follow these steps:

1. Launch the Group Policy Management console.
   1. From the Start menu, click Run.
   2. Type gpmc.msc in the text box, and click OK.
2. In the left pane, on the Domain Controller, right-click and select Create a GPO in this domain, and Link it here. New GPO dialog box appears on the page.
3. Type a Name for the group policy and click OK.                                                   
4. Right-click on the newly created group policy, and click Edit.
5. Go to User Configuration > Windows Settings > Security Settings > Public Key Policies, and then under the Object Type section in the right pane, select Certificate Services Client – Auto-Enrollment.
6. Right-click on Certificate Services Client – Auto-Enrollment and click Properties.
7. Under Enrollment Policy Configuration tab,
   1. For the Configuration Model, select Enabled from the drop-down list.
   2. Select the following check boxes,
      • Renew expired certificates, update pending certificates, and remove revoked certificates
      • Update certificates that use certificate templates
   3. Click OK.                                                                                             
8. Save your changes and close the Group Policy Management console.

Issuing AD CS Certificates on Managed Devices

Most MDMs will have issues trying to push out certificates on their devices because AD CS only natively integrates with GPO. Fortunately, you don’t have to manually set up each and every one of your devices for a certificate because of a technology called SCEP.

Simple Certificate Enrollment Protocol (SCEP) is one of the most commonly used methods of auto-enrolling managed devices for certificates as it can be easily used with Intune and Jamf. It allows managed devices to communicate directly with a PKI without requiring any human interaction.

SecureW2’s powerful certificate enrollment gateway will enable any MDM you choose (Jamf, Intune, GPO, Google Workspace, etc.) to push configuration payloads to your managed devices for automatic self-enrollment of certificates. For more info on supported systems, check out our managed device solutions page.

Below is an example that illustrates the ease of using Jamf and SCEP to issue your AD CS certificates to all of your managed devices in just a few minutes.

Configure SCEP Gateway API in SecureW2

1. Use our Getting Started Wizard to generate a shared secret key and an access token.
2. Following the prompts, use the shared secret and the token to create a new SCEP URL.  This URL will later be pushed to your devices to enable auto-enrollment for certificates.
3. The last step is to create your Enrollment Policies. These can differ based on the needs of an organization, but most users will choose a setup similar to the one pictured below.

Configure Certificate Template for SCEP Gateway

1. Insert the SCEP URL you previously created. It contains all the necessary instructions for your MDMs to configure themselves to request client certificates from SecureW2.The screenshot below is an example of a typical config for Jamf-managed devices.

Push the Payload to Your MDM

Now that your configuration profile (the ‘payload’ of network settings) is properly set up, you can push it to your devices through the recently configured SCEP Gateway.

You can also use Microsoft’s WSTEP protocol to achieve a similar outcome through GPO. However, many customers enjoy the flexibility that our Gateways offer them so they can easily support all their devices, regardless of the MDM.

Enrolling ADCS Certificates and Installing them on BYOD Devices

With SecureW2’s #1 Rated Onboarding Client, organizations can easily install certificates and configure certificate-based WPA2-Enterprise Wi-Fi settings on any BYOD device. With solutions for every Operating System, all you need to do is direct users to the SecureW2 Landing Page and their OS will be detected and the appropriate Onboarding Client deployed to their device. From there, they go through a one-time configuration.

After entering their network credentials, the client will enroll them for a unique client certificate and configure their device to use that certificate for secure network access. Here is a complete guide on how to enroll AD CS certificates on BYOD devices with SecureW2.

Deploying AD CS Certificates with SecureW2

While AD CS is a useful tool for AD-domain PKI management, organizations that aren’t completely built on Microsoft environments will face numerous issues. Combining AD CS and SecureW2 is the best way to distribute and manage your certificates. Integrating your network with SecureW2 is a cost-effective solution that enhances user experience and network security. Check out our pricing page to see how our solutions work for you.