Windows Auto-Enrolment: Centralising certificate management

Posted by Mike Hathaway on Aug 2, 2023 11:24:17 AM

Microsoft essentially holds one of the world’s de facto standards when it comes to Enterprise Server and Workstation Deployments.

Microsoft’s Windows operating system is mature and enables many third-party solutions to integrate from a productivity and security standpoint. Microsoft provides Active Directory Certificate Services (AD CS) to enable clients to request certificates to access domain-based resources securely.

AD CS is designed to work within the confines of an Active Directory domain. Active Directory Certificate Services works with Microsoft clients who support SCEP, PKCS#10 and Windows Native Certificate Enrollment. It does not support ACME, EST and CMP and, as a result, cannot scale to meet all use cases.

You can easily integrate Ascertia’s ADSS Web RA Server, together with ADSS PKI Server, into a Microsoft domain. This is done to deliver a consistent, centrally managed certificate management policy to Microsoft domain and non-domain users and computers.

Ascertia ADSS Web RA Server’s Windows Enrolment support means administrators, users and device owners do not need to change their behaviour. They can simply leverage the Microsoft tools as they do today. All certificate requests are sent to the ADSS PKI Server where the centrally managed policy is seamlessly applied, and user and computer certificates are issued.

Simplified certificate management

We specifically designed ADSS Web RA Server to simplify system administration and enable end-users to self-service. It provides a secure and intuitive web-based portal where users can self-manage their individual certificates.

Web RA Issued Certificates

Grouping certificates for device administrators

If you are a device or IT administrator, look no further than ADSS Web RA Server. This Ascertia product makes it easy for certificates to be grouped by role, enabling you to easily access certificates for your managed devices.

For example, you can group by certificate template or certificate contents. Device owners may want to group all certificates with OU=Laptops to be assigned to laptop administrators and then assign all certificates with OU=Switches to a network administrator.


Automatic certificate issuance

Microsoft Auto-Enrolment is a key part of the Microsoft certificate provisioning use case. Certificate enrolment is managed via Microsoft Group Policy, which is applied to users, groups, workstations and servers via Active Directory.

When a client refreshes group policy, it is given the network location of the Web RA Server Certificate Enrolment Policy Server. This sends a request to the active directory to query the certificate templates and enrolment servers the client is entitled to access.

It then returns to the client, who uses this information to connect to the Certificate Enrollment Web Service. This then retrieves the user’s details from Active Directory before submitting a certificate request to an ADSS Server-based Certificate Authority (CA). ADSS Server then returns a signed certificate to the client where it is installed.


Auto provision web-based self-service

ADSS Web RA will automatically create an account for users to access any certificates that they have been enrolled for. Users simply need to log into their devices and, when certificate auto-enrolment provides them with a digital certificate, they will receive an invitation email to join the Web RA digital identity management portal.

Centralised deployment

ADSS Web RA Server is designed to be installed and integrated with a company’s Microsoft Domain. Organisations can connect each instance of Web RA Server to multiple installations of ADSS Server, easily connecting the server to a centrally hosted PKI based on Ascertia ADSS PKI Server.

This can be hosted within the Enterprise or by a member of the Ascertia global ecosystem. For more information on locating a local provider, please visit our website or contact a member of our team.

Digital trust foundation

ADSS Server and ADSS Web RA Server are core products of the Ascertia Digital Trust family.

Together they offer enterprises, Trust Service Providers (TSPs) and governments a rich set of digital trust services for the issuance and management of digital identities. The package can easily enable additional use cases that are the very foundation of digital business, such as:

  • Digital signatures
  • Signature verification
  • Certificate verification
  • Time-stamping
  • Remote signatures

ADSS Server and ADSS Web RA Server integrate seamlessly with Ascertia's SigningHub, a digital workflow and signature platform that enables digital transformation. SigningHub is used globally to provide digital signatures to internal and external users and can be integrated into leading business applications.

For more information on digital trust and Ascertia’s technology, read our other blogs.