For domain joined computers it is possible to create a Group Policy Object that will allow requesting a certificate through MMC > Certificate snap-in without having to create a CSR and other administrative overheads.

  • Open the Group Policy Management editor and create a new GPO in the domain OU structure shown below we are creating a new GPO and linking it to the Servers OU so that all the servers under this OU can request certificate from PKI server, let us call this GPO “Certificate Enrollment GPO”



  • Edit the “Certificate Enrollment GPO” and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies


  • Right click on Certificate Services Client – Client Enrollment Policy  and bring up the properties window and set this to Enabled, default will be Not Configured.


  • Similarly bring up the properties window for Certificate Services Client – Auto-Enrollment and perform settings as per below


  • Enforce and run a Group Policy Update



After completing the above steps, logon to the server and Request a new certificate. In the screen snap shots below a server DEVAF4 is joined to domain



The Next step will be bring up list of published certificate templates refer to how to create templates as in this example DEVAF4 is designated ADFS server we will use ADFS Template and request a certificate


Friendly name for the cert will be under General tab and ensure that Private Key is marked as being exportable and click on Apply. 




The required details for the certificate request have been filled in and now should be able to Enroll the new certificate request


Once successful a certificate will be issued by PKI server


The issued certificate will be registered in the CA