Constraints that Limit the Certificate Enrollment Process

Constraints are of two types: those that are built-in to the product and are unchangeable and those that can be configured. Consider the following constraints when designing the certificate enrollment process:

Built-in constraints are controls that already exist.
If a user can authenticate to an enterprise CA, he or she can make a certificate enrollment request for a user certificate such as an EFS certificate, user certificate, MCTS Exam and so on.
To request a computer or service certificate, a user must have administrative privileges.
To request a CA certificate, a user must have administrative privileges on the CA.

Configurable constraints are under your control. They might have a default configuration, but they are meant to be configured to suit the policy and risk posture of the organization. These are the configurable constraints:

Certificate types certification provider an be restricted to users and groups of users by adding or removing the Enroll permission on the certificate template for the specific certificate type. For example, EFS Recovery Agent certificates can be restricted to a specific group of users by giving the group the Enroll permission on the EFS Recovery Agent certificate and not including any other group. A best practice is to pay careful attention to who can request each certificate type and who is given permission, via use of groups, to obtain certificates.

A CA can be restricted in the types of certificates it issues. In general, the root CA and intermediary CAs should issue only CA certificates. Further, issuing CAs should not issue CA certificates and should be configured to issue only the certificate types that MCTS Certification are approved. This guideline, however, might not work in some circumstances. In smaller environments, for example, a single CA might serve all purposes or a two-tier hierarchy made up of two CAs might be present.

The policy of the issuing CA can be set to require manual approval of each certificate request. In a large enterprise where thousands of certificates must be issued, this is not a workable solution. However, even in a large enterprise, some CAs, such as the root CA, can be set to require manual approval.

Automatic enrollment of computer certificates can be configured in Active Directory Group Policy.