2.1.2.2.2 Autoenrollment in a Domain Environment

  • Article

This section describes the components of the autoenrollment client that is joined to a domain and how external entities influence the behavior of the autoenrollment process.

The following diagram shows that the autoenrollment process accesses two local data stores, certificate/key storage and local configuration, and communicates with the XCEP server, WSTEP server, CA server, and domain controller. The autoenrollment process examines local certificate storage and renews an already issued certificate or enrolls for new certificates as required, based on a predefined policy that is encoded in the form of CEPs.

The autoenrollment process executing on a computer that is joined to a domain

Figure 10: The autoenrollment process executing on a computer that is joined to a domain

Certificate storage: This entity provides some implementation-specific persisted local certificate storage that can be logically organized into groups of certificates.

Key storage: This entity provides some implementation-specific persisted local private key storage where it could store private keys associated with the certificates it is requesting.

Local configuration: This entity provides the configuration options and policy server endpoint information.

In the case of DCOM-based certificate enrollment, the autoenrollment process gets the certificate templates and CA information from the domain controller, whereas in the case of the Web services certificate enrollment, the Group Policy client on the enrollment client computer gets the policy server endpoints information from the domain controller through the Group Policy: Registry Extension Encoding [MS-GPREG] and updates the local configuration; then the autoenrollment process gets the policy server endpoint URL information in an implementation-specific way and connects to the XCEP server to download the CEP. Depending on the available CEP and certificates that are currently present on the system local certificate/key storage, autoenrollment submits requests and persists newly enrolled or renewed certificates in the local certificate storage. In the case of DCOM-based certificate enrollment, autoenrollment submits requests to the CA, whereas in the case of Web services certificate enrollment, it submits the requests to the WSTEP server.

The local certificate/key storage can be read or modified by other systems in an implementation-specific way, but the autoenrollment process makes no assumptions about how or even if this happens. Local configuration is modified by the computer administrator through the use of an administration tool, such as a Group Policy client.