This is the client side process for creating a certificate request, submitting a request, and importing a returned certificate for workgroup computers. These steps need to be done in order. This assumes CEP and CES are properly working in your DMZ, and that you have set up the enrollment policy, locally. What is recommended…if you’re going to automate this, is to create a script, and then compile it. The account used in the enrollment process should have no access to do anything else on your domain.
Step 1 of 5 – Using an INF (which you’ve already saved), create request
certreq -new SCCM_WORKGROUP.INF SCCM_WORKGROUP.req
Step 2 of 5 – Submit request (this is dependent on a working CES and CEP)
certreq -submit -username DOMAIN\USERNAME -p PASSWORD -PolicyServer “https://server.external.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP” -config “https://server.external.com/DOMAIN-CA_CES_UsernamePassword/service.svc/CES” -attrib “CertificateTemplate:WorkgroupCertificateNameHere” SCCM_WORKGROUP.req SCCM_WORKGROUP.cer
Step 3 of 5 – Accepting the Certificate
certreq -accept SCCM_Workgroup.cer
Step 4 of 5 – Exporting the Certificate
certutil -p PASSWORD -exportPFX %computername% SCCM_WORKGROUP.pfx
Step 5 of 5 – Import certificate returned from request
certutil -f -addstore “ROOT” SCCM_WORKGROUP.cer
certutil -p PASSWORD -importPFX SCCM_WORKGROUP.pfx NoExport
Notes
Submit request
certreq -submit -f -config “10.1.0.11\DOMAIN-CA” SCCM_Workgroup.req SCCM_Workgroup.cer
Delete cert url cache:
certutil -urlcache * delete
Delete cert user cache:
C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
Delete cert computer cache:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache