The first preference is given to the lowest priority. Make sure that the priority value of the key-based renewal enrollment policy is lower than the priority of the Username Password enrollment policy priority. Click Add to add enrollment policy and enter the CEP URI with UsernamePassword that we edited in ADSI. Go to Computer Configuration > Windows Settings > Security Settings, and then click Public Key Policies.Įnable the Certificate Services Client - Auto-Enrollment policy to match the settings in the following screenshot.Įnable Certificate Services Client - Certificate Enrollment Policy.Ī. Select Start > Run, and then enter gpedit.msc. On the client computer, set up the Enrollment policies and Auto-Enrollment policy. Change the msPKI-Enrollment-Servers attribute by using the custom port with your CEP and CES server URIs that were found in the application settings. These are valid client certificates for authentication that do not directly map to a security principal.Ĭonnect to the Configuration partition, and navigate to your CA enrollment services object:ĬN=ENTCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com The AllowKeyBasedRenewal cmdlet also specifies that the CES will accept key based renewal requests for the enrollment server.
The RenewalOnly cmdlet lets CES run in renewal only mode. SSLCertThumbPrint is the thumbprint of the certificate that will be used to bind IIS. In this command, the identity of the Certificate Enrollment Web Service is specified as the cepcessvc service account. This command installs the Certificate Enrollment Web Service (CES) to use the certification authority for a computer name of and a CA common name of contoso-CA1-CA. Install-AdcsEnrollmentWebService -CAConfig "\contoso-CA1-CA" -SSLCertThumbprint "sslCertThumbPrint" -AuthenticationType Certificate -ServiceAccountName "Contoso\cepcessvc" -ServiceAccountPassword (read-host "Set user password" -assecurestring) -RenewalOnly -AllowKeyBasedRenewal
When in key-based renewal mode, the service will return only certificate templates that are set for key-based renewal.
Key-based renewal lets certificate clients renew their certificates by using the key of their existing certificate for authentication. In this command, is the thumbprint of the certificate that will be used to bind IIS.
0 kommentar(er)
