A Windows Server–based certification authority (CA) can add certificates that have been issued to Active Directory subjects to the appropriate Active Directory object. This allows other users of Active Directory Domain Services (AD DS) to easily locate and use the subject's certificate. There are two settings (located on the General tab of the certificate template's property sheet) that affect the way this feature works:
-
Publish certificate in Active Directory. When a subject obtains a certificate based on this template, the issued certificate will be added to that subject's Active Directory object.
-
Do not automatically re-enroll if a duplicate certificate exists in Active Directory. When the subject attempts to enroll for a certificate based on this template, computers running Windows XP or later will search for a duplicate certificate in AD DS. If one exists, autoenrollment will not submit a re-enrollment request. This allows certificates to be renewed but prevents multiple duplicate certificates from being issued.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.
 | To configure certificate publishing in AD DS |
Open the Certificate Templates snap-in.
In the details pane, right-click the certificate template that you want to change, and then click Properties.
On the General tab, select the check box for the appropriate Active Directory setting, and then click Apply.