Setting up a User’s cert autoenrollment with Microsoft CA

This lab includes the fallowing setup

LAB-DC01Windows 2019 Standard with:
AD Domain Role
AD Ent Certification Authority with Enrolment Services Role

Don’t you know if you have a Stand Alone or an Enterprise CA?

Do do this, you must have the “Enrolment Services” under Site and Services… To check this do this:

First we need to create a custom model , so open Certification Authority and go to Certificate Templates, right click and open “Manage”.

Duplicate the User template.

Change name ,and eventually the Valid and Renewal time frame.

Under Request Handling, check that the key could be exported and that NO user interaction is required.

Under Subject Name, enable only this options you have .
Take in mind that if some of this settings are not populated in AD, the auto enrolment process will not work.

Finally, change the group assignment under Security .

Now press OK and add this template to your CA.

Select your template…


At this point we need a GPO to allow the auto-enrol of user’s cert….

Open Group Policy Management and create a GPO linked at root level , in my case User_Cert_Auto_Enrol .

Now, edit it and enable the “user” Public Key Policies/Certificate Services Client – Auto-Enrollment Settings

At this point, add a TEST user into your security group , in my case Auto_Cert_Enrol_User_Group, login with a Windows AD joined PC and check the user personal cert….


The CA before login…

Login with the user TEST…

The CA after login ..

Finally, you can check it into the client with MMC => add local cert.

that’s it!

Leave a Reply

Your email address will not be published. Required fields are marked *