Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 117

• That the Certificate Authority is trusted.
• That the requester has permission to access the proxy.
If the process meets those requirements, the Windows server generates a PKCS#10 certificate
request and submits it to the proxy. The proxy parses the request, pulls out required information and
may derive or add other required information, and re-formats the request to meet the requirements for
the Red Hat Certificate System CA. The proxy then sends the reformatted request to the Certificate
Manager, which automatically issues the certificate (since the request was authenticated in the
Windows domain) and sends it to the proxy. The proxy then presents the certificate to the enrolling
application.
Figure 4.2. The Auto Enrollment Process
At several points in the process, the DCOM objects pull information about the proxy service from the
registry settings or from the entry in Active Directory:
1. The server runs an LDAP search on the root DSE to find the configuration naming context.
2. Then, it runs an LDAP search under the CN=Enrollment Services, CN=Public Key
Services, CN=Services branch of the configuration naming context, which lists every
configured enrollment service, including the Auto Enrollment Proxy.
3. The enrollment process then locates and uses any enrollment service which matches the required
criteria:
• Has a certificateTemplates attribute which matches the requested certificate type.
Certificate System 8.0 has two certificate profiles supported by default, for domain controller
certificates (caDomainController) and web server certificates (caAgentServerCert).
About Auto Enrollment
95