.png){kind=logo}
Microsoft Auto-enrollment Operations
ENTERPRISE
The following provides an overview of how to configure auto-enrollment in EJBCA.
For an example guide of setting up MS Auto-enrollment, see the Microsoft Auto-enrollment Configuration Guide and for a conceptual overview, see Microsoft Auto-enrollment Overview.
As of EJBCA 8.3, the creation and configuration of auto-enrollment aliases is moved to the CA side and must no longer be added on the RA side. Aliases configured in earlier EJBCA versions will still be visible in the EJBCA RA instance to preserve backward compatibility, but new aliases must be added under the System Configuration on the EJBCA CA instance.
Also note that if you remove the alias defined on the CA side, you must manually clear the cache on the RA side for the change to take effect. To manually clear the cache, select System Configuration > System Configuration > Basic Configurations > Clear All Caches.
To configure auto-enrollment, select Autoenrollment Configuration from System Configuration in the EJBCA menu.
Auto-enrollment configuration is based on aliases and each alias is configured on the Manage Autoenrollment Aliases page. To add a new alias, click Add.
Configure Domain and Connection Settings
The following sections cover the Domain and Connection configuration settings.
Domain Controller and Policies Settings
The following displays the settings on the Autoenrollment Alias configuration page.
| Field | Description |
|---|---|
| Domain name (DN) of the forest root (the location of the Certificate Templates). | |
| Fully qualified domain name (FQDN) of the domain controller (used for the LDAP connection). | |
Display name of the Certificate Enrollment Policy retrieved by clients (free text). | |
| Policy Update Interval | The value of 'nextUpdateHours' to be set for the policy response. |
Service principal name in the format PROTOCOL/fqdn@REALM. |
Kerberos Settings
The following displays the Kerberos settings on the Autoenrollment Alias configuration page.
Import the Key Tab and the configuration file using the following fields.
| Field | Description |
|---|---|
| Import a valid key tab file. | |
| Import a valid krb5.conf file. |
Configure AD Connection
The following fields are set for the Active Directory (AD) connection. Note that SSL can optionally be used for the EJBCA instance's connection to the LDAP server.
| Field | Settings Without SSL | Settings Using SSL |
|---|---|---|
| Cleared | Selected | |
| Disabled | Select Relevant Key Binding | |
| 389 (or port for your LDAP connection) | 636 (or port for your SSL LDAP connection) | |
| user@DOMAIN.COM For valid formats for the AD bind account, see below. | user@DOMAIN.COM For valid formats for the AD bind account, see below. | |
| your password | your password |
The Active Directory bind account (AD User Login) can be provided in any of the following formats:
- "autoenrollmentbind@yourcompany.com" (sAMAccountName followed by @, followed by either DNS name of a domain in the same forest or a value in the uPNSuffixes of the Partitions container in the config NC replica)
- CN=autoenrollment bind,CN=Users,DC=yourcompany,DC=com" (Full DN)
- autoenrollment bind" (Display Name)
EJBCA instance's connection to the LDAP server can be over SSL if specified. Once the Use SSL option is selected, an Authentication Key Binding can be specified. The selected key binding is used as a trust entry for the LDAP SSL certificate. For details on creating the binding needed for the SSL connection, see Setting up a Remote Authenticator.
The following displays the settings for AD connection without SSL:
The following displays the settings for AD connection with SSL:
Configure Default CA
The default CA used for auto-enrollment is selected using the Default CA field.
Once the configuration has been stored by clicking Save, the AD connection can be tested by clicking Test Connection.
A successful connection will show the following message:
Configure Microsoft Auto-enrollment Templates
In order to enroll through Microsoft Auto-enrollment, the Microsoft Templates are mapped to End Entity Profiles and Certificate Profiles.
In the Available MS Templates section, select a Template, an End Entity Profile and a Certificate Profile and click Add.
Added template mappings are added and listed as Mapped MSAE Templates.
OPTIONAL Configure Key Archival
To optionally enable key archival to allow recovering the private key, configure the following:
- Select a KEC Certificate profile for auto-enrollment with key archival in the auto-enrollment alias configuration:
- Activate Enable Key Recovery in the EJBCA System Configuration:
For more information, see EJBCA Configuration. - Enable Key Recoverable in the end entity profiles used in the auto-enrollment alias configuration.
For more information, see EJBCA Configuration. - Enable key archival in the certificate template used in the auto-enrollment alias configuration.
For more information, see Group Policies and Certificate Templates.