Step 1: Enable LDAP Referrals

Run the following commands on the CA. This configuration is needed on ADCS CA since we are requesting certificates on behalf of some other user using service account.

This feature is only supported on Windows 2008 R2 Enterprise and later. See the link below for context and details:

https://technet.microsoft.com/en-us/library/ff955842(v=ws.10).aspx

  1. First stop certificate services by running the following command:

    net stop certsvc

  2. Enable LDAP Referrals

    certutil -setreg policy\EditFlags +EDITF_ENABLELDAPREFERRALS

    Certs_CertEnroll-ADCS-DCOM_05

  3. Start certificate services by running the following command:

    net start certsvc

Step 2: Create the Restricted Enrollment Agent Certificate Template

  1. Open the Certificate Authority (CA).

  2. Expand the CA Name, Right click Certificate Templates, and select Manage.

  3. Right click the Enrollment Agent (Computer) template and select Duplicate Template. Name it per your preference.

  4. Select Windows Server 2008 Enterprise.

  5. On the Request Handling tab, select Allow Private Key to be Exported.

  6. In the Subject Name tab, make sure Build from this Active Directory Information is activated and Subject Name format is set to Fully distinguished name.

  7. Click OK.
  8. Navigate back to the CA, right click Certificate Templates, select New, and select Certificate Template to Issue.

    Certs_CertEnroll-ADCS-DCOM_12

  9. Select the duplicate copy of the template created in the previous step.

    Certs_CertEnroll-ADCS-DCOM_13

  10. Click OK.

Enroll a computer for the Signer Certificate

Step 1: Generate a new Restricted Enrollment Agent Signer Certificate

The following actions in this step can be done on any server that can connect to the Certificate Authority.

  1. Open MMC.

  2. Click File and select Add/Remove Snap in.

    Certs_CertEnroll-ADCS-DCOM_15

  3. Select Certificates.

  4. Select Computer Account.

  5. Select Local Computer and select Finish.

  6. Click OK.

  7. Expand Certificates (Local Computer), double click Personal, right click Certificates, select All Tasks, and select Request New Certificate.

  8. Click Next.

  9. Select Active Directory Enrollment Policy and select Next.

    Certs_CertEnroll-ADCS-DCOM_22

  10. Check the duplicate template created in earlier steps and select Enroll.

    Certs_CertEnroll-ADCS-DCOM_23

  11. Once completed, select Finish.

Step 2: Configure the issued certificate

  1. Once the certificate has been issued, right click it and select All Tasks followed by Manage Private Keys.

  2. Click Add.

  3. Type Network Service and select Check Names. Once added, select OK twice.

    Certs_CertEnroll-ADCS-DCOM_27

Step 3: Export the Certificate

If the certificate needs to be installed on multiple Device Services servers or Workspace ONE UEM Cloud Connector servers, export with the private key. If not, skip to exporting just the public key.

Export public and private key to a .pfx file

  1. Right click the issued certificate, select All Tasks followed by Export.

  2. Click Next.

    Certs_CertEnroll-ADCS-DCOM_29

  3. Select Yes, export the private key and select Next.

  4. Select Include all certificates in the certification path if possible as well as Export all extended properties. Click Next.

  5. Set a password and select Next.

  6. Select a folder in which to save the exported certificate.

  7. Click Finish.

Export the public key to .cer file

Only the public key needs to be exported for upload to the console:

  1. Right click the issued certificate, select All Tasks followed by Export.

  2. Select No, do not export the private key, select Next.

  3. Select DER encoded binary X.509 (.CER), select Next.

  4. Select a destination for the exported certificate and select Next.

  5. Click Finish.

Step 4: (If required) Import the certificate for other Device Services servers or AirWatch Cloud Connector servers

On any other servers DS servers or AirWatch Cloud Connector servers, the certificate that was exported in previous steps will need to be imported. Skip this section if no other DS or ACC servers are involved.

  1. Open MMC.

  2. Click File and select Add/Remove Snap in.

    Certs_CertEnroll-ADCS-DCOM_41

  3. Select Certificates.

  4. Select Computer Account and select Next.

  5. Select Local Computer and select Finish.

  6. Click OK.

  7. Expand Certificates (Local Computer) and select Personal. Right click Certificates, select All Tasks and select Import…

  8. Select the .pfx file exported in previous steps and select Next.

  9. Enter the password created for this file in previous steps, make sure Include all extended properties is checked and select Next.

  10. Ensure Place all certificate in the following store is set to Personal and select Next.

  11. Click Finish.