Skip to main content

Creating Certificate Profiles

You will need to create three different certificate profiles from each certificate template described below to enable Windows Hello for Business for your organization.

Certificate Template Name

Description

Domain Controller

For Microsoft® Domain Controller certificates. Enables authentication of computers or other devices to your Active Directory domains, including users making use of Windows Hello for Business credentials.

Microsoft® Enrollment Agent

Enables organizations to issue Microsoft® Enrollment Agent certificates which allows for certificate enrollments on behalf of another entity in your Active Directory domains.

Windows Hello for Business Authentication

Enables organizations to issue Windows Hello for Business certificates to users in your Active Directory domains.

image3.jpeg

Please refer to the DigiCert® Trust Lifecycle Manager | Autoenrollment Server deployment guide, section “Creating Autoenrollment Certificate Profile”, which will guide you through how to create certificate profiles for Autoenrollment Server. When selecting a certificate template, ensure that you are selecting from one of the three templates described above.DigiCert Autoenrollment Server

After you create the profiles, make sure that you note the Profile GUID for the two profiles created from the following templates.

  1. Microsoft® Enrollment Agent

  2. Windows Hello for Business Authentication

image4.jpeg

This information will be required later in section “Setting Up Active Directory Federation Services”.

Note

Microsoft® Enrollment Agent template Seat ID will be mapped to ‘cn’ (Common Name) by default. This should not be changed to mail when the AD FS is run by Service Accounts, since Service Accounts do not have an email address.

image5.jpeg