Request a personal certificate on Windows automatically
Solution 1:
This feature is called Certificate Autoenrollment: Configure Certificate Autoenrollment
just to note: do not use web enrollment, it is way outdated and have very and very limited functionality.
Edit: Here is how autoenrollment works.
- Each time group policies are refreshed on clients (on domain members it is about each 90min +/-, on domain controllers it is 15 or 5 minutes, depending on functional level) it triggers the autoenrollment.
- Autoenrollment checks all certificate templates from Active Directory and selects ones where current user account (or group) have Read and Autoenroll permissions.
- Autoenrollment locates available Enterprise CAs in an Active Directory forest and checks whether the CA supports certificate templates selected in step 2.
- Autoenrollment examines local certificate store and checks whether there are valid certificates based on templates selected in step 3. If there is missing certificate, autoenrollment performs silent certificate enrollment.
Although, the logic is more complex, this information is enough to you to understand how templates are selected, in other words, through permissions and certificate template availability at CA server.