Skip to main content

Automation of Autoenrollment Server configuration


If you used the manual configuration flow to configure the Autoenrollment Server, skip the steps on this page.

If your Windows Server is joined to a Domain Controller, add the Group Policy Management Console (GPMC).

To add the Group Policy Management Console (GPMC), perform the following steps:

  1. Open the Server Manager tool.

  2. Select Manage > Add Roles and Features.

  3. Proceed through the Add Roles and Features wizard until you reach the Features menu.

  4. Select Group Policy Management from the list of available features.

  5. Select Install and follow the steps in the wizard.

The following is a sample output of the ConfigureAES.bat script to update the policy settings.

Go to the AEServer installation directory and run the following command:

cd .\ConfigureAES

.\ConfigureAES.bat "<AEServerInstallationPath>"

For example: .\ConfigureAES.bat "C:\Program Files\DigiCert\AEServer"

For detailed information, refer to the installation and deployment guide.

C:\Program Files\DigiCert\AEServer\ConfigureAES>.\ConfigureAES.bat "C:\ProgramFiles\DigiCert\AEServer"

This script automates the configuration of DCOM access rights, firewall settings,
and Group Policies required for the DigiCert Autoenrollment Server (AES) to
function properly within your domain environment. It ensures the necessary permissions
are applied to relevant groups and updates the Default Domain Controllers Policy GPO
to enable smooth certificate autoenrollment for users, computers, and domain controllers.

Do you want to proceed? [Y/N]: y  
Step 1: Configure DCOM access rights and set autoenrollment permissions 
This step will configure the required Distributed Component Object Model (DCOM)
access rights and sets permissions for the Autoenrollment Server (AES).  

- You must have permission to modify DCOM configuration settings
(Domain Administrators or Enterprise Administrators have this permission by default).

Groups granted access and launch permissions (local and remote)  
- Domain Users  
- Domain Computers  
- Domain Controllers  

Do you want to proceed? [Y/N]: y
   Enabling Distributed COM on this Computer... [In progress]
   Enabling Distributed COM on this Computer... [Completed]      

   Restarting the DCOM Server Process Launcher service...

Press any key to continue...
   DCOM Server Process Launcher service restarted successfully.

   Setting DCOM permissions for AutoEnrollmentDCOMSrv... [In progress]
   Setting launch and activation permissions for AutoEnrollmentDCOMSrv... [In progress]
   Setting DCOM access permissions for AutoEnrollmentDCOMSrv... [Completed]
   Setting launch and activation permissions for AutoEnrollmentDCOMSrv... [Completed]

Step 2: Configure firewall rules 
This step ensures that the DigiCert Autoenrollment Server can communicate through
the system's firewall by configuring a firewall exception on the computer running
Autoenrollment Server.

Do you want to proceed? [Y/N]:y
    Configuring firewall exception for the Autoenrollment Server... [In progress]
    Configuring firewall exception for the Autoenrollment Server... [Completed]

Step 3: Update group policies 
This step will configure the Group Policies Object (GPO) for the 
Autoenrollment Server (AES).  

The following settings will be enabled:  

Computer configuration   
- Configuration Model   
- Renew expired certificates, update pending certificates, and remove
  revoked certificates   
- Update certificates that use certificate templates 

User configuration   
- Configuration Model   
- Renew expired certificates, update pending certificates, and remove
  revoked certificates   
- Update certificates that use certificate templates

Do you want to proceed? [Y/N]:y
    Available GPOs:[0]
    Default Domain Policy[1]
    Default Domain Controllers Policy
    Enter the number of the GPOs you want to update, separated by commas (or type 'ALL' to process all GPOs).
    Selection: 0
    Updating group policies... [In progress]
    Processing GPO: Default Domain Policy (31b2f340-016d-11d2-945f-00c04fb984f9)
    Updating group policies... [Completed]

DigiCert Autoenrollment Server configuration completed successfully.  

For more details, refer to the logs: "C:\Program Files\DigiCert\AEServer\logs\ConfigureAES.log.2025-02-11"

Next steps:

Install Certification Authority management tools

Allow publishing to Active Directory

Publication date: