PKI – CES/CEP – Enrollment Policy

email me

These are the enrollment policy reg keys taken from a reference machine. You basically set up a reference computer using the Manage Enrollment Policies (in mmc, Add certificates, Computer account. And then…Personal, Certificates, All Tasks, Advanced Operations—set up the enrollment policy), export those reg keys, and then automate the import on your client machines.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\PolicyServers]
@=””
“Flags”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\PolicyServers\54317f2ebe81a09c15eeb976a6cead1b98353dff]
“URL”=”https://server.external.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP”
“PolicyID”=”{2BEEB86C-F2C8-8C63-796C-0B593C1F6BA5}”
“FriendlyName”=”DOMAIN.COM”
“Flags”=dword:00000020
“AuthFlags”=dword:00000004
“Cost”=dword:7ffffffd

 

Notes

Enable auto enrollment renewal

“Flags”=dword:00000032

 

Delete existing enrollment server URL

certutil –config “{CA Config String}” –enrollmentServerURL https://server.external.com/CA1_CES_UsernamePassword/service.svc/CES delete


To add the enrollment service URI to the CA Enrollment Services in AD

certutil –config “{cahostname.domain.com}\{caname}” –enrollmentServerURL https://server.external.com/Domain-CA_CES_UsernamePassword/service.svc/CES

 

To display CA Enrollment Services object attributes (including the enrollment service URI)

certutil –adca



To display enrollment policy data including general certificate enrollment web service configuration details

certutil –policy



Display existing enrollment server URI’s

certutil –config “{CA Config String}” –enrollmentServerURL