Configuring AD policies and templates

When an MS agent is configured with Proxy MS Enrollment Protocols to SCM enabled, you must have AD Domain Group Policies and MS AD certificate templates configured.

MS AD certificate templates and AD group policies are highly customizable and many of the configuration options have no requirements in relation to SCM. The following sections outline only the required or suggested configurations.

MS AD certificate templates

Certificate issuance from SCM is achieved by mapping SCM certificate profiles to custom MS AD certificate templates.

The following table provides an overview of required and suggested template configurations for the enrollment of certificates through SCM.

Field Description Setting

General tab

Validity period

The validity term for certificates created using this template.

This value is overridden by the setting configured in your mapped certificate profile in SCM.

Ignored

Renewal period

The time before certificate expiry during which auto-renewal can be triggered if re-enrollment is supported.

A renewal period of 20% of certificate’s remaining lifetime is suggested.

Most applicable

Compatibility tab

Show resulting changes

If selected, you are notified of changes to the template’s compatibility settings.

Selected (suggested)

Certification Authority

Controls the available template options related to the MS AD version.

The template options provided by newer versions MS AD are ignored by the MS agent.

Ignored

Certificate recipient

Controls the available template options related to the enrolling client operating system.

Most applicable

Request Handling tab

Archive subject’s encryption private key

When selected, private keys are sent to SCM for archival in the Sectigo Key Vault.

This requires having Sectigo Key Vault configured for your account.

Most applicable

Key Attestation tab

Key Attestation

The MS agent does not support key attestation.

Ignored

Server Tab

Do not store certificates and requests in the CA database

The MS agent always stores certificate requests in the CA database.

Ignored

Do not include revocation information in issued certificates

The issuing CA backend determines if revocation information is included or not.

Ignored

Security Tab

Group or user names

The users or groups with access to the template.

Most applicable

Permissions for Authenticated Users

The permissions for the selected user or group on the template.

For a user or computer to perform manual enrollment, they need Read and Enroll permissions.

For a user or computer to perform auto-enrollment, they need Read and Autoenroll.

Most applicable (required)

Extensions tab

Key Usage

The purpose and restrictions of the public key contained in a certificate.

Extensions in the certificate are controlled by the issuing CA.

Ignored

Extended Key Usage

Further key restrictions.

Extensions in the certificate are controlled by the issuing CA.

Ignored

Basic Constraints

Any additional constraints to be applied to the certificate template.

Extensions in the certificate are controlled by the issuing CA.

Ignored

Certificate Template Information

The details included in the description of the certificate template.

Extensions in the certificate are controlled by the issuing CA.

Ignored

Subject Name tab

Supply in the Request

When selected, the subject in the CSR is passed unchanged to SCM.

Most applicable

Build from this Active Directory Information

When selected, the MS agent sends the AD attributes specified in the MS AD certificate template mapping configuration to SCM.

Subject name and alternate name formats are ignored.

Most applicable

Issuance Requirements tab

CA certificate manager approval

When selected, you must approve the certificate request on the MS agent machine through the Certificate Authority MMC snap-in under Pending Requests.

Not recommended

The number of authorized signatures

When selected, the MS agent requires the certificate request to be signed by an authorized entity.

The MS agent only supports 1 authorized signature.

Most applicable

Policy type required in signature

The selected policy type determines how the signing certificate is validated for authorization.

Only Application policy is supported by the MS agent.

Application policy

Application policy

The selected application policy (EKU) that must exist in the signing certificate.

Only Certificate Request Agent (OID) is supported by the MS agent.

Certificate Request Agent

Same criteria as for enrollment

When selected, re-enrollment enforces the same requirements as the original enrollment.

Selected

Certificate Services Client - Auto-Enrollment Policy

In addition to having a properly configured MSCA template, the auto-enrollment of certificates through the MS agent requires the configuration of user or computer auto-enrollment policies.

When the auto-enrollment policy is configured, associated users or computers automatically enroll certificates that are missing for certificate templates with auto-enroll configured.

The following table provides an overview of required and suggested policy configurations for the auto-enrollment of certificates through SCM.

Field Description Setting

Configuration Model

Configuration model indicates the state of the policy.

The available selections are:

  • Disabled — Auto-enrollment will not occur.

  • Enabled — Auto-enrollment is triggered based on internal timers.

  • Not Defined — Auto-enrollment status is determined by the local registry.

Enabled (required)

Update certificates that use certificate templates

When selected, certificates are enrolled and renewed based on certificate templates configured for auto-enrollment.

Selected (required)