Untitled design (9)

802.1X – Deploy Machine and User Certificates

Deploy Machine and User Certificates

If you want to use EAP-TLS, EAP-FAST or TEAP as your authentication method for 802.1X, then you may need to have the certificates issued to the user or computer (or both for EAP-Chaining)

This blog post explains the steps required to successfully deploy the certificates to users and computers using Active Directory Certificate Services. It assumes that the CA server has been correctly configured and the computers have already joined the domain.  

Certificate Authority (CA)

The first step is configuring a certificate template that AD Certification Services (AD CS) uses as the starting point for automatically enrolling and deploying device certificates to workstations in the domain.

The procedure below shows how to create a copy of a template and configure the newly created template to enable auto-enrollment.

  1. Navigate to Certificate Authority > Certificate Templates > Manage
  2. For machine certificates, duplicate the ‘Workstation Authentication‘ template and give a suitable name (‘machine auth’ in this example)
  3. Under Security tab, Allow Read, Enroll and Autoenroll for ‘Domain Computers
  4. For user certificates, duplicate the ‘User‘ template and give a suitable name (‘user auth’ in this example)
  5. Under Security tab, Allow Read, Enroll and Autoenroll for ‘Domain Users

The next step is to Publish the newly created certificate templates, as shown below. Once you add the certificates, they are available for enrollment.

Group Policy

You can use Group Policy to automatically enroll computer and user certificates and deploy them to the workstations.

  1. Open the Group Policy Management console.
  2. Edit the GPO that you want to modify (using the Default Domain Policy in this example)
  3. Navigate to User | Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies.
  4. Double-click Certificate Services Client – Auto-Enrollment.
  5. Change Configuration Model to Enabled.
  6. Select both Renew expired certificates and Update certificates that use certificate templates.
  7. Click OK to save your changes. Workstations apply the GPO and download the certificate the next time Group Policy is refreshed.


Once all the configurations are completed, you can either reboot your computer or force the GPO update by running gpupdate /force on the command line to receive the certificates. You can view the certificates on the MMC console.

computer certificate
user certificate

Now we have the certificates in place, we can use them for 802.1x authentications, which I will explain in the next post.

Leave a Comment

Your email address will not be published. Required fields are marked *