Group Policy

This certificate enrollment founds on the XCEP and WSTEP protocols that all recent Windows versions natively support. In Active Directory environments, the necessary settings can be applied via group policies (GPO), to make AD-joined computers enroll certificates from SCEPman.

In this scenario, three group policy settings are required for a fully automated certificate deployment.

1

Registration of the CEP server

The CEP (Certificate Enrollment Policy) server (part of SCEPman) will provide an authenticated client a policy containing all certificate templates configured on SCEPman for Active Directory enrollment. The CEP server needs to be added on the clients in the registry. Windows includes GPO templates to configure the necessary settings in the GUI.

Policy Configuration

For the certificate templates Device and DC, you have to go into the Computer Configuration hive. For User, navigate in the User Configuration hive. If you use certificate templates of both kinds, you'll have to configure both. In that case, you'll usually use two GPOs, one applied to the users with the User Configuration and one applied to computers with the Computer Configuration.

Setting location in Group Policy Management Editor (gpmc.msc)
Computer Configuration / User Configuration
β””-Policies
  β””-Windows Settings
    β””-Security Settings
      β””-Public Key Policies
        β””-Certificate Services Client - Certificate Enrollment Policy Server

In the setting, add a new CEP server in the list and enter the policy server URI in the respective input. You can copy this URI from your SCEPman's homepage. It follows the scheme of https://scepman.contoso.com/step/policy. After entering and validating the CEP server you can finish the setting by adding it and confirming the dialog.

In the configuration process, the client already makes a validation call to the CEP server. Therefore, the account context used for the configuration must have permission to access SCEPman's CEP endpoint, i.e. authenticate with Kerberos, and outgoing network access to SCEPman port 443.

Please see the Known Issues section in case you receive an error during the CEP server validation.

If you are using the SCEPman CEP server in parallel to your existing ADCS, you need to choose a default server and make sure you keep the existing enrollment policy.

2

Enable Auto-Enrollment

With the registered CEP server, your users/computers can request certificates from SCEPman. Usually, you want them to do this automatically without user interaction and for this, you have to enable Auto-Enrollment. Note that it may already be enabled if you were using Autoenrollment before with Microsoft Active Directory Certificate Services (AD CS).

Setting location in Group Policy Management Editor (gpmc.msc)
Computer Configuration / User Configuration
β””-Policies
  β””-Windows Settings
    β””-Security Settings
      β””-Public Key Policies
        β””-Certificate Services Client - Auto-Enrollment

Make sure to check Update certificates that use certificate templates to enable the automatic enrollment.

3

Install Trusted Root CA

With the enrollment policy server and auto-enrollment settings in place, you just need to make sure that your target devices or users are trusting your SCEPman CA certificate. For this to happen you will need to import the CA certificate in the corresponding GPO setting.

Setting location in Group Policy Management Editor (gpmc.msc)
Computer Configuration / User Configuration
β””-Policies
  β””-Windows Settings
    β””-Security Settings
      β””-Public Key Policies
        β””-Trusted Root Certificatin Authorities
          β””- Import (Context Menu)

Download your SCEPman's CA certificate from its homepage and make sure to import it in this dialogue.

Last updated

Was this helpful?