Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment

In the last part, we have created a certificate template for WinRM over HTTPS. Now the Sub CA is able to respond to enrollment request. To remember, enrollment is the process for a client to obtain a signed certificate. The client which asks for a signed certificate is called the enrollee.

In this part, we will see how to obtain a certificate from the certificate template called WinRM.


To make an enrollment, open mmc.exe and click on File and Add/Remove Snap-in:

On the left menu, select Certificates and click on Add. There are three types of snap-in to manage certificates:

  • My user account: manage certificates related to your account (personal certificate);
  • Service account: manage certificates related to a service (IIS, LDAP etc.);
  • Computer account: manage certificates related to the computer (or remote computer).

I select computer account for WinRM using.

Then right click on personal store (or certificates as below) and select All Tasks and Request New Certificate.

On the first screen, click on Next.

Select the Active Directory Enrollment Policy and click on Next.

Select the certificate template that you have configured previously. So I select the certificate template WinRM that I have configured on the previous part.

And that’s all. The enrollment is in progress.

At the end of the enrollment, you should have the certificate in your personal store.


With Active Directory Certificate Services, it is possible to make Auto-Enrollment to avoid manual steps as above. In this way all machines where you have set auto-enrollment will obtain a certificate automatically. To configure auto-enrollment, your certificate template must have the security permissions set correctly (view previous part).

Next setting is set in GPO. So open gpmc.msc from a domain controller or console server and create a new GPO.

Edit the GPO and navigate to Computer Configuration > Policies > Windows Settings > Public Key Services. Edit Certificate Services Client Auto-Enrollment policy. Set settings as below.

Next, apply the GPO where you want servers make auto-enrollment. On my side I want that all my servers obtain a certificate to configure WinRM over HTTPS everywhere. So I link the GPO on domain level.

Next I’m connecting to a server. I open a mmc as above. As you can see, no certificate are present on this server.

So I run a gpupdate in order to refresh GPO on this server. My GPO is applied and I obtain certificates. I have another certificate for OCSP signing. It is because I set another certificate template to auto-enroll OCSP server (for the next part J).

If I open a certification authority console on the Sub CA and I navigate to issued certificates, I obtain that:

So it is working well. Now you know how to deploy a PKI and how to deploy a certificate. No excuse to not use HTTPS, IPsec or other way to encrypt communicationJ. Next part I will talk about OCSP responder.

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).


  1. Hello, thank you for the tutorials it’s great. Tried following your steps but at the level of the enrollment, i have an error like I don’t have the permission to enroll for this type of certificate. The desired certiifcate is equally windows Remote Manager. My architecture is as follow; I have a domaine controller and an enterprise CA found on two seperate servers.Created a user adminrootCA with the approiate rights it is with him i’ve deplyed the CA. Can you please tell me were i went wrong??

  2. Thank you for this tutorial. Really clear and easy to understand.
    Found one thing: you forgot to mention one important detail:
    You need to configure “Automatic certificate request settings” in the group policy before you’ll get working certificates auto enrollment.

  3. Agree with Evgeny. Great article. Many thanks!

    Remaining step was to simply go back into the policy and choose Automatic Certificate Request Settings and choose NEW–>Auto Cert Request…. Choose COMPUTER from the lisyt and next and then finish 🙂

    Thanks for sharing

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Check Also

Public Key Infrastructure Part 8 – OCSP responder

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 6 – Manage certificate templates

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 5 – Registry key, certutil and Active Directory

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...