Auto Enrollment Configuration Guide

ENTERPRISE This is an EJBCA Enterprise feature.

Overview

This guide covers integrating EJBCA with Microsoft Auto Enrollment and provides instructions for the installation of a new Microsoft Active Directory Certificate Services server to be used in conjunction with the PrimeKey Auto Enrollment servlet to proxy auto enrollment requests to EJBCA.

PrimeKey Auto Enrollment Servlet

The PrimeKey Auto Enrollment Servlet integrates into a Microsoft Active Directory environment to provide a means to automatically enroll for certificates from a third-party Certificate Authority.

images/download/attachments/85924691/AutoEnrollmentServlet.png
Certificate Enrollment with CEP / CES and Auto Enroll Servlet

The PrimeKey Auto Enrollment servlet leverages the built-in Microsoft Certificate Enrollment Policy Web Service (CEP) and Certificate Enrollment Web Service (CES) to integrate into a Microsoft Active Directory environment.

  • Microsoft Certificate Enrollment Policy Web Service (CEP) enables users and computers to obtain certificate enrollment policy information.

  • Certificate Enrollment Web Service (CES) enables users and computers to perform certificate enrollment by using the HTTPS protocol.

These technologies are utilized by domain users and computers during manual and auto enrollment for X.509 certificates.

Generally, certificate enrollment requests are submitted to a Microsoft CA. As part of the configuration process, the enrollment server URL for the Microsoft CA is changed so that certificate requests are redirected to the PrimeKey Auto Enrollment servlet.

About this Guide

This guide covers integrating EJBCA with Microsoft Auto Enrollment which requires a strong understanding of Microsoft Active Directory, Microsoft Certification Authorities, Group Policy Management, EJBCA, and PKI. For more information on requirements needed, see Auto Enrollment Requirements.

The guide includes the following sections:

By the end of this guide, you will have an environment where Active Directory Domain Users and Computers will seamlessly auto enroll for certificates issued by EJBCA.