Active Directory Certificate Services (AD CS) supports a variety of enrollment and renewal methods, including autoenrollment without any client interaction and interactive enrollment methods such as the Certificate Request Wizard and the AD CS Web pages.
 | Note |
|
If you deploy non-Microsoft certification authorities (CAs) or custom certificate enrollment and renewal applications, you must perform any configuration required for those CAs and applications. |
How a client obtains a certificate is primarily controlled by the security properties of the certificate template.
When certificate templates are published on a server, each template contains an access control list (ACL) that defines the specific operations a subject can perform with a certificate.
| Setting | Description | ||||
|---|---|---|---|---|---|
|
Full Control |
The selected group or user can perform any action on this template. | ||||
|
Read |
The selected group or user can read this template. | ||||
|
Write |
The selected group or user can modify this template. | ||||
|
Enroll |
The selected group or user can submit a certificate issuance or renewal request based on this template.
| ||||
|
Autoenroll |
The selected group or user can submit a certificate request based on this template by way of autoenrollment.
|
The most common use of certificates is for subject enrollment with autoenrollment permitted. In this case, the subject must be granted Read, Enroll, and Autoenroll permissions.
If you do not want to autoenroll users, but do want to make manual or Web-based enrollment available, granting the Read and Enroll permissions is appropriate.
When subjects already hold a certificate, they need only Read and Enroll permissions to renew that certificate, whether they use autoenrollment or not.
Write and Full Control permissions should be restricted to CA managers to ensure the templates are not improperly configured.