The following sections cover configuring group policies on the Active Directory (AD) server and EJBCA certificate chain deployment.

Step 1 - Certificate Chain Deployment

The following covers how to install the Cert Chain from EJBCA onto Client Certificate Stores by downloading the CA certificates in EJBCA and then setting group policies to automatically place the CA certificates into their respective certificate stores.

Download CA Certificates

To download the CA Certificates using the EJBCA RA Web, do the following:

  1. On the AD Domain Services Server, go to the EJBCA RA Web CA Certificates and CRLs page on http://<ejbcaserver.yourcompany.com>:8080/ejbca/ra/cas.xhtml.
  2. Click  Internet Explorer to download the Root CA certificateIntermediate CA certificate and Issuing CA certificate.

Import Certificates

Next, set the group policies to automatically place the CA certificates into their respective certificate stores. Note that a Group Policy Object (GPO) is a set of Group Policy configurations.

  1. Open the Group Policy Management (gpmc.msc) on the AD Server.
  2. Expand your domain forest, and select <yourcompany.com> from your Domains.
  3. Right-click and select Create a GPO in this domain, and Link it here.
  4. Set the GPO name to Trusted EJBCA CA certs.
  5. Right-click Trusted EJBCA CA certs GPO and click Edit.
  6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
  7. Click the Action menu or right-click and then click Import.
  8. Follow the instructions in the Certificate Import Wizard to import the Root CA certificate.
  9. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Intermediate Certification Authorities.
  10. Click the Action menu or right-click and then click Import.
  11. Follow the instructions in the Certificate Import Wizard to import the Intermediate CA certificate.
  12. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Intermediate Certification Authorities.
  13. Click the Action menu or right-click and then click Import.
  14. Follow the instructions in the Certificate Import Wizard to import the Issuing CA certificate.

Step 2 - Configure Group Policies on AD server

Configure Group Policies on the AD server according to the following:

  1. Access the Group Policy Management (gpmc.msc) on the AD Domain Services server.
  2. Expand your domain forest, click Domains > your domain name, and then select Default Domain Policy.
  3. Right-click Default Domain Policy and select Edit.
  4. Expand Computer Configuration and select Policies > Windows Settings > Security Settings > Public Key Policies.
  5. Edit Certificate Services Client – Auto-Enrollment according to the following and then click OK.
    • Change Configuration Model to Enabled.
    • Select Update certificates that use certificate templates.
  6. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  7. Edit Certificate Services Client – Auto-Enrollment according to the following and then click OK.
    • Change Configuration Model to Enabled.
    • Select Update certificates that use certificate templates.

Optionally: If you require to Publish the User certificates in Active Directory and maintain the same User certificate across all domain-joined workstations, perform the following steps. If not, a user that logs on to multiple workstations will be issued a certificate for each workstation profile by design.

  1. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  2. Edit Certificate Services Client – Credential Roaming:
    • Click the General tab, change to Enabled, and click OK.
    • In the message about Roaming Uses Profile exclusion list displayed, acknowledge and click OK.

Step 3 - Update Group Policy for Certificate Enrollment

To update the Group Policy for Certificate Enrollment, do the following:

  1. Access the Group Policy Management (gpmc.msc) on the AD Domain Services server.
  2. Expand your domain forest, click Domains > your domain name, and then select Default Domain Policy.
  3. Right-click Default Domain Policy and select Edit.
  4. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  5. Edit Certificate Services Client – Certificate Enrollment Policy.
  6. Change Configuration Model to Enabled.
  7. Remove the Active Directory Enrollment Policy from the Certificate Enrollment policy list, and then click Add.
  8. Enter the policy server URI: https://<ejbcaserver.yourcompany.com:8442>/ejbca/msae/CEPService?msae, click Validate Server, and then click Add.
    • Multiple policy servers can be added here (EJBCA or others). An EJBCA CEP Service URI will be listed with Policy Name as configured in Part 3b: EJBCA Policy Server Configuration.
    • Using the URI format above, changing ?msae will point to a different alias in EJBCA. This may be desired if the EJBCA Auto-enrollment configuration contains multiple aliases, representing different domains.
  9. Select Default, and then click Add.
  10. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  11. Edit Certificate Services Client – Certificate Enrollment Policy.
  12. Change Configuration Model to Enabled.
  13. Remove the Active Directory Enrollment Policy from the Certificate Enrollment policy list, and then click Add.
  14. Enter the policy server URI https://<ejbcaserver.yourcompany.com:8442>/ejbca/msae/CEPService?msae, click Validate Server and then click Add.
  15. Select Default, and then click OK.

Step 4 - Test Microsoft Auto-enrollment

To test the Microsoft Auto-enrollment:

  1. Add the Windows Client host member of the domain (yourcompany.com).
  2. For any user who has logged in prior, you may need to delete the cached policy information in the local user account directory.
    1. The location of the cached user policy is: %userprofile%\AppData\Local\Microsoft\Windows\X509Enrollment
    2. The location of the cached machine policy is: %programdata%\Microsoft\Windows\X509Enrollment
  3. Log in as user member of the Domain Admins group.
  4. Open the Microsoft Management Console (mmc.exe).
  5. Click File>Add/Remove Snap-in and select certificates for both user and local computer.

  6. Verify that the user certificate was generated (Current User/ Personal/ Certificates).
    Ensure that the user certificate in the personal store is generated by your issuing CA using the duplicated template.

  7. Verify that the computer certificate was generated. (Local Computer/ Personal/ Certificates requires Admin privileges to check the local computer certificate store).
    Ensure that the computer certificate in the personal store is generated by your issuing CA using the duplicated template.