Skip to main content

Automation of Autoenrollment Server configuration

注記

If you used the manual configuration flow to configure the Autoenrollment Server, skip the steps on this page.

If your Windows Server is joined to a Domain Controller, add the Group Policy Management Console (GPMC).

To add the Group Policy Management Console (GPMC), perform the following steps:

  1. Open the Server Manager tool.

  2. Select Manage > Add Roles and Features.

  3. Proceed through the Add Roles and Features wizard until you reach the Features menu.

  4. Select Group Policy Management from the list of available features.

  5. Select Install and follow the steps in the wizard.

The following is a sample output of the ConfigureAES.bat script to update the policy settings.

Go to the AEServer installation directory and run the following command:

cd .\ConfigureAES

.\ConfigureAES.bat "<AEServerInstallationPath>"

For example: .\ConfigureAES.bat "C:\Program Files\DigiCert\AEServer"

For detailed information, refer to the installation and deployment guide.

C:\Program Files\DigiCert\AEServer\ConfigureAES>.\ConfigureAES.bat "C:\Program Files\DigiCert\AEServer"
This script automates the configuration of  DCOM access rights, firewall settings and Group Policies required
for the DigiCert Autoenrollment Server (AES) to function  properly within your domain environment. It ensures
the necessary permissions are applied to relevant groups and updates the Default Domain Controllers Policy GPO
to enable smooth certificate autoenrollment for users, computers, and domain controllers.
For detailed information, refer the Deployment Guide:
https://docs.digicert.com/en/trust-lifecycle-manager/integration-guides/autoenrollment-server/install-and-deploy.html
Do you want to proceed? [(Y)es/(E)xit]:Y
========================================================================
Step 1: Configure DCOM access rights and set autoenrollment permissions
========================================================================
This step will configure the required Distributed Component Object Model (DCOM) access rights and
sets permissions for the Autoenrollment Server (AES).
Prerequisites
 - You must have permission to modify DCOM configuration settings (Domain Administrators or Enterprise
   Administrators have this permission by default).
Groups granted access permissions and launch and activation permissions (local and remote)
 - Domain Users
 - Domain Computers
 - Domain Controllers
Do you want to proceed? [(Y)es/(S)kip this step/(E)xit]:Y
    Enabling Distributed COM on this Computer... [In progress]
    Enabling Distributed COM on this Computer... [Completed]
    Setting DCOM access permissions for AutoEnrollmentDCOMSrv... [In progress]
    Setting launch and activation permissions for AutoEnrollmentDCOMSrv... [In progress]
    Setting DCOM access permissions for AutoEnrollmentDCOMSrv... [Completed]
    Setting launch and activation permissions for AutoEnrollmentDCOMSrv... [Completed]
========================================================================
Step 2: Configure firewall settings
========================================================================
This step will ensure that the DigiCert Autoenrollment Server can communicate through the
system's firewall by configuring a firewall exception on the computer running Autoenrollment Server.
Do you want to proceed? [(Y)es/(S)kip this step/(E)xit]:Y
    Configuring firewall exception for the Autoenrollment Server... [In progress]
    Configuring firewall exception for the Autoenrollment Server... [Completed]
========================================================================
Step 3: Update group policies
========================================================================
This step will configure the Group Policy Object (GPO) for the Autoenrollment Server (AES).
The following settings will be enabled:
Computer configuration
  - Configuration Model
  - Renew expired certificates, update pending certificates, and remove revoked certificates
  - Update certificates that use certificate templates
User configuration
  - Configuration Model
  - Renew expired certificates, update pending certificates, and remove revoked certificates
  - Update certificates that use certificate templates
Do you want to proceed? [(Y)es/(S)kip this step/(E)xit]:Y
    Available GPOs:
    [0] Default Domain Policy
    [1] Default Domain Controllers Policy
    Enter the number(s) of the GPOs you want to update, separated by commas (or type 'ALL' to process all GPOs).
    Selection: 0
    Updating group policies... [In progress]
    Processing GPO: Default Domain Policy (31b2f340-016d-11d2-945f-00c04fb984f9)
    Updating group policies... [Completed]
DigiCert Autoenrollment Server configuration completed successfully.
For more details, refer to the logs:  "C:\Program Files\DigiCert\AEServer\logs\ConfigureAES.log.2025-08-10"
C:\Program Files\DigiCert\AEServer\ConfigureAES>

Next steps:

Install Certification Authority management tools

Allow publishing to Active Directory