ENTERPRISE This is an EJBCA Enterprise feature.

The following provides an overview of how to configure auto-enrollment in EJBCA.

For an example guide of setting up MS Auto-enrollment, see the Microsoft Auto-enrollment Configuration Guide and for a conceptual overview, see Microsoft Auto-enrollment Overview.

To configure auto-enrollment, click Autoenrollment Configuration in the EJBCA menu

Auto-enrollment configuration is based on aliases and each alias is configured on the Manage Autoenrollment Aliases page.

images/download/attachments/216203345/Screenshot_2023-11-16_at_14.50.16-version-1-modificationdate-1703088190000-api-v2.png

To add a new alias, specify a name for the alias, click Add and then select Edit Autoenrollment Alias.

Configure Domain and Connection Settings

The following sections cover the Domain and Connection configuration settings.

Domain Controller and Policies Settings

The following displays the settings on the Autoenrollment Alias configuration page.

images/download/attachments/216203345/Screenshot_2023-12-21_at_13.52.34-version-1-modificationdate-1703159618000-api-v2.png

Field	Description
Forest Root Domain	Domain name (DN) of the forest root (the location of the Certificate Templates).
AD Domain Controller	Fully qualified domain name (FQDN) of the domain controller (used for the LDAP connection).
Policy Name	Display name of the Certificate Enrollment Policy retrieved by clients (free text).
Policy Update Interval	The value of 'nextUpdateHours' to be set for the policy response.
Service Principal Name	Service principal name in the format `PROTOCOL/fqdn@REALM`.

Kerberos Settings

The following displays the Kerberos settings on the Autoenrollment Alias configuration page.

images/download/attachments/216203345/Screenshot_2021-04-15_at_16.07.16-version-1-modificationdate-1703088190000-api-v2.png

Import the Key Tab and the configuration file using the following fields.

Field	Description
Kerberos Key Tab	Import a valid key tab file.
Krb5 Conf File	Import a valid krb5.conf file.

Configure AD Connection

The following fields are set for the Active Directory (AD) connection. Note that SSL can optionally be used for the EJBCA instance's connection to the LDAP server.

Field	Settings Without SSL	Settings Using SSL
Use SSL	Cleared	Selected
Authentication Key Binding	Disabled	Select Relevant Key Binding
Active Directory Port	389 (or port for your LDAP connection)	636 (or port for your SSL LDAP connection)
AD User Login	user@DOMAIN.COM For valid formats for the AD bind account, see below.	user@DOMAIN.COM For valid formats for the AD bind account, see below.
AD User Password	your password	your password

The Active Directory bind account (AD User Login) can be provided in any of the following formats:

"autoenrollmentbind@yourcompany.com" (sAMAccountName followed by @, followed by either DNS name of a domain in the same forest or a value in the uPNSuffixes of the Partitions container in the config NC replica)
CN=autoenrollment bind,CN=Users,DC=yourcompany,DC=com" (Full DN)
autoenrollment bind" (Display Name)

EJBCA instance's connection to the LDAP server can be over SSL if specified. Once the Use SSL option is selected, an Authentication Key Binding can be specified. The selected key binding is used as a trust entry for the LDAP SSL certificate. For details on creating the binding needed for the SSL connection, see Setting up a Remote Authenticator.

The following displays the settings for AD connection without SSL:

images/download/attachments/216203345/Screenshot_2021-04-15_at_16.18.11-version-1-modificationdate-1703088190000-api-v2.png

The following displays the settings for AD connection with SSL:

images/download/attachments/216203345/Screenshot_2021-04-15_at_16.17.46-version-1-modificationdate-1703088190000-api-v2.png

Configure Default CA

The default CA used for auto-enrollment is selected using the Default CA field.
images/download/attachments/216203345/default-ca-version-1-modificationdate-1703088190000-api-v2.png

Once the configuration has been stored by clicking Save, the AD connection can be tested by clicking Test Connection.

A successful connection will show the following message:

images/download/attachments/216203345/msae_test_connection-version-1-modificationdate-1703088190000-api-v2.png

Configure Microsoft Auto-enrollment Templates

In order to enroll through Microsoft Auto-enrollment, the Microsoft Templates are mapped to End Entity Profiles and Certificate Profiles.

In the Available MS Templates section, select a Template, an End Entity Profile and a Certificate Profile and click Add.

images/download/attachments/216203345/Screenshot_2021-04-15_at_16.30.33-version-1-modificationdate-1703088190000-api-v2.png

Added template mappings are added and listed as Mapped MSAE Templates.

images/download/attachments/216203345/Screenshot_2021-04-15_at_16.30.45-version-1-modificationdate-1703088190000-api-v2.png

Configure Key Archival (Optional)

To optionally enable key archival to allow recovering the private key, configure the following:

Select a KEC Certificate profile for auto-enrollment with key archival in the auto-enrollment alias configuration:
Activate Enable Key Recovery in the EJBCA System Configuration:

For more information, see EJBCA Configuration.
Enable Key Recoverable in the end entity profiles used in the auto-enrollment alias configuration.

For more information, see EJBCA Configuration.
Enable key archival in the certificate template used in the auto-enrollment alias configuration.

For more information, see Group Policies and Certificate Templates.

Microsoft Auto-enrollment Operations

Configure Domain and Connection Settings

Domain Controller and Policies Settings

Kerberos Settings

Configure AD Connection

Configure Default CA

Configure Microsoft Auto-enrollment Templates

Configure Key Archival (Optional)

Related Content