Hello everyone,
I'm working on a Windows Server 2016 PKI and wanted to set up web services for renewal of certificates outside the internal network. Here is the ideal scenario:
1. Computer retrieves enrollment policy via GPO, policy contains both LDAP and the ADPolicyProvider_CEP_Certificate CEP URL.
2. Computer is auto-enrolled through LDAP/DCOM/RPC when connected to the domain
3. Once outside the network boundary, the computer can renew the same certificate against CES & CEP using the certificate as authentication.
No administrator approval should be required for the initial enrollment or renewal because these are domain-joined machines only.
I've followed a few guides from Microsoft but I don't see this specific architecture being configured, these include:
https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Client_Certificate_Authentication
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj590165(v=ws.11)
They reference configuring key-based renewal which means issuance and renewal must be approved by administrators, and the subject information must be supplied in the request, based on my testing. This means auto-enrollment won't work.
I've tried configuring a few templates which enroll fine through LDAP/DCOM/RPC, but when trying to renew through CEP/CES I get the error "Certificate template is not supported by the CA".
Is what I'm trying to do possible?
Thanks!