Microsoft Auto-enrollment Overview

ENTERPRISE This is an EJBCA Enterprise feature.

The following provides an overview of Microsoft Auto-enrollment and support in EJBCA.

For guide and instructions on how to set up auto-enrollment, see Microsoft Auto-enrollment Operations.

Auto-enrollment is the method with which Microsoft Windows servers and clients provision Active Directory (AD) certificates within a Microsoft domain. Once set up in Group Policy, clients connect to a configured Certificate Enrollment Policy Server (CEP), which initially returns a set of Certificate Enrollment Policies which entitles the client to the corresponding certificates. The client then sends a request for those certificates, which is passed on to a server running Microsoft CA, which enrolls the client for the requested certificates. This process is fully oblique to the client, as are any following certificate renewals. MSAE allows Windows administrators to maintain a PKI within their domains without requiring any action from users.

images/inline/431e5e4c91d6be6a77da97c8f115d85682b1652df3f57f83696ec38c13e51e2c.png

The problem with this setup is that it is domain specific. In other words, this setup needs to be duplicated for each domain you have in your organization. In an enterprise environment involving hundreds of domains and tens of thousands of users, this solution does not scale.

images/inline/95ecdf7ebdc52d2b6264555a63f0224718a98ca4dfb8d124fc9547e409bcf2b7.png

This is where EJBCA becomes your solution - by using the EJBCA CA instead of the Microsoft CA and configure the client to connect directly to EJBCA RA machines instead of a Microsoft Certificate Services, a single EJBCA CA can serve your entire Microsoft PKI through RA instances.

images/inline/b78ad68222607bd33941b9400fd0e731367a877f8d79a9599bb7138ac307385f.png

For more information on how to configure auto-enrollment in EJBCA, see Microsoft Auto-enrollment Operations.