Step 1B: Installing Computer Certificates; Step 1C: Installing User Certificates - Extreme Networks Summit WM Technical Reference Manual

Creating the Windows Security Infrastructure
a certificate is revoked, the CRL is manually published, but the IAS server still allows the connection
because the local CRL has not yet been updated.

Step 1b: Installing Computer Certificates

If you are using a Windows Server 2003 or Windows 2000 Certificate Services enterprise CA as an
issuing CA, you can install a computer certificate on the IAS server by configuring Group Policy for the
autoenrollment of computer certificates for computers in an Active Directory system container.
To configure computer certificate enrollment for an enterprise CA:
1 Open the Active Directory Users and Computers snap-in.
2 In the console tree, double-click Active Directory Users and Computers, right-click the domain
name to which your CA belongs, and then click Properties
3 On the Group Policy tab, click the appropriate Group Policy object (the default object is Default
Domain Policy), and then click Edit.
4 In the console tree, open Computer Configuration, then Windows Settings, then Security Settings,
then Public Key Policies, then Automatic Certificate Request Settings.
5 Right-click Automatic Certificate Request Settings, point to New, and then click Automatic
Certificate Request.
6 The Automatic Certificate Request wizard appears. Click Next.
7 In Certificate templates, click Computer, and then click Next. Your enterprise CA appears on the list
8 Click the enterprise CA, click Next, and then click Finish.
9 To immediately obtain a computer certificate for the CA that is running Windows 2000 Server, type
the following at a command prompt: secedit /refreshpolicy machine_policy
10 To immediately obtain a computer certificate for the CA that is running Windows Server 2003, type
the following at a command prompt: gpupdate /target:computer
After the domain is configured for autoenrollment, each computer that is a member of the domain
requests a computer certificate when computer Group Policy is refreshed. By default, the Winlogon
service polls for changes in Group Policy every 90 minutes. To force a refresh of computer Group Policy,
restart the computer or type secedit /refreshpolicy machine_policy (for a computer running Windows
2000) or gpupdate /target:computer (for a computer running Windows XP or Windows Server 2003) at a
command prompt. Perform this procedure for each domain system container as appropriate.
Best Practices
If you use a Windows Server 2003 or Windows 2000 enterprise CA as an issuing CA, configure
autoenrollment of computer certificates to install computer certificates on all computers. Ensure that all
appropriate domain system containers are configured for autoenrollment of computer certificates either
through the inheriting of group policy settings of a parent system container or explicit configuration

Step 1c: Installing User Certificates

If you are using a Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter
Edition, enterprise CA as an issuing CA, you can install user certificates through autoenrollment.
Configuring user certificate autoenrollment for wireless user certificates requires you to duplicate
36
Summit WM Technical Reference Guide, Software Version 5.1