Set up certificate auto-enrollment

Ubuntu Pro

This feature of ADSys requires an Ubuntu Pro subscription.

Certificate auto-enrollment is a key component of Ubuntu’s Active Directory GPO support. This feature enables clients to seamlessly enroll for certificates from Active Directory Certificate Services.

The certificate policy manager allows clients to enroll for certificates from Active Directory Certificate Services. Certificates are then continuously monitored and refreshed by the certmonger daemon. Currently, only machine certificates are supported.

Unlike the other ADSys policy managers which are configured in the special Ubuntu section provided by the ADMX files (Administrative Templates), settings for certificate auto-enrollment are configured in the Microsoft GPO tree:

• Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment

Prerequisites

Active directory

You will need an installation of ADSys on a client Ubuntu Machine and the client should be joined to an Active Directory (AD) domain. Please refer to our how-to guides on setting up the Ubuntu client machine:

• Join machine to AD during installation

• Join machine to AD manually

• Install ADSys

For the Windows domain controller, refer to:

• Set up AD

Required packages

The following packages must be installed on the client in order for auto-enrollment to work:

• certmonger — daemon that monitors and updates certificates

• cepces — certmonger extension that can communicate with Active Directory Certificate Services

On Ubuntu systems, run the following to install them:

sudo apt install certmonger python3-cepces

On the Windows side, the following roles must be installed and configured:

• Certification Authority

• Certificate Enrollment Policy Web Service

• Certificate Enrollment Web Service