Preparing certificate templates
The set of certificate templates that you configured in DigiCert ONE is automatically installed in the Active Directory when you import the configuration file downloaded from DigiCert® Trust Lifecycle Manager. To deploy certificates, you must assign the enroll and/or autoenroll permissions to the appropriate groups or users for each certificate template separately.
See Assigning Group/User access to templates.
Autoenrollment Server supports v2 and v4 certificate templates.
You cannot use the older v1 or v3 templates for autoenrollment as Autoenrollment Server has not been fully qualified for them. However, you can supersede older templates to newer templates.
Assigning Group/User access to templates
Using an administrator with Certificate Templates write permission (typically Domain Administrator or Enterprise Administrator), access the machine running Autoenrollment Server. Open Microsoft Management Console (MMC) and add the Certificate Templates Snap-In to set the security settings (enroll/autoenroll rights) for the templates therein.
Nota
Do not change any of the template values other than the security settings. Editing templates leads to failure of all requests for this template.
To change template settings, edit the corresponding certificate profile in DigiCert® Trust Lifecycle Manager, and then download and import a new autoenrollment configuration file.
The Certificate Template property page contains the Security tab. The Security tab allows you to define the DACL (Discretionary Access Control List) for a specific certificate template. The permissions that you assign to the certificate template define which security principals can read, modify, enroll, or auto-enroll for a specific certificate template.
The Group or user names dialog lists all groups and users holding privileges on the currently-opened certificate template.
You can add your own network-specific group names if you do not use the default group names (such as Domain Users and Domain Computers). Once you have added your domain-specific groups, assign the appropriate combinations of Enroll and Autoenroll permissions to them.
Important permissions are:
Read: This permission allows a security principal to see the certificate template when they enroll for certificates. It is required for a security principal to enroll or auto-enroll a certificate. The certificate server also requires finding the certificate templates in Active Directory.
Enroll: This permission allows a security principal to enroll for a certificate based on the certificate template. To enroll for a certificate, the security principal must also have Read permissions for the certificate template.
Autoenroll: This permission allows a security principal to receive a certificate through the autoenrollment process. Autoenrollment permissions require that the user has both Read and Enroll permissions in addition to the Autoenroll permission.
Depending on the specific certificate template, you should assign the appropriate permissions to the required groups of users or computers.
Nota
You should use global or universal groups instead of individual users or computer accounts when assigning template access permissions. Especially in large infrastructures, this facilitates administration of access rights. This also helps minimize conflicts and inconsistencies across multiple domain controller contexts.
Additionally:
You should assign Read permission to the authenticated group for all certificate templates. Then all users and computers can read the certificate templates in Active Directory.
Restrict Write and Full Control permissions to only those people who require them to ensure that the templates are not improperly configured.