Part 2 - issuing certificates for S/MIME use
In Part 1 of my three-part presentation on S/MIME, I created a certificate template for "Secure Email", named it "S-MIME" and then made it available to users.
However, although the template is available, particular certificates must still be issued to particular users. The template is only a template or a model. Each user needs their own certificate, and must request their own certificate, either manually or through a process known as "autoenrollment".
Note: if we look at a sample user's certificate store at this point, it contains no personal certificates at all (this may or may not be the case in your organization).
I have opted to use autoenrollment with Group Policy to issue certificates to users.
So, we must create a Group Policy Object (GPO) that enrolls authorized users for the certificate and then apply the GPO to the Organizational Unit (OU) that contains these users.
Step 1: create the GPO
Go to the Group Policy Management Console (GPMC) right-click on the "Group Policy Objects" icon and select "New". I've named my new GPO "S-MIME".
Click on "OK".
Step 2: configure GPO settings for certificate autoenrollment
Right-click on the new GPO and select "Edit".
Since the certificates are for users, we are going to the "User Configuration" section and then, following this path, to "Certificate Services Client - Auto-enrollment".
User Configuration | Policies | Windows Settings | Security Settings | Public Key Policies
Enable the policy:
I check all three options. I discovered that if I do not check the second option (Update certificates that use certificate templates) the certificate would not be issued.
Step 3: Apply the GPO to the OU
Now, we must apply the GPO to the OU containing the users in question.
In the GPMC, I right-click on "ExchangeUsers" (your Active Directory structure will probably be different), select the option "Link an existing GPO", and then select the "S-MIME" GPO.
If all is properly configured at this point, the certificate should be issued the next time the users in "ExchangeUsers" logon. I have observed - at least in my test environment - that a second logon is sometimes necessary. On the other hand, if the current user executes the following command (at the command line...)
the certificate will be issued immediately and appear in the "Personal" folder | "Certificates" subfolder of the current user's certificate store.
So, if we look in the user's certificate store again, there is now a certificate that can be used to secure their email: