DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

How to configure silent auto-enrollment | PKI Client

Solution ID : HOWTO124706
Last Modified : 10/21/2023


This article describes how to deploy silent auto-enrollment with PKI Client. Be sure to complete the following prerequisites before proceeding any further.


  1. Setup and configure your PKI Manager Administrator account.
  2. Download and import your Root/Intermediate Certificate Authority (CA) certificate(s) via Group Policy Object (GPO).
  3. Enterprise Gateway (EGW) has been installed on a local Windows Server.
Note: Check PKI Manager to verify what Certificate Authority (CA) you are using in your Certificate Profile. If you are using a Subordinate CA, you need to make sure the certificate has been imported into the “Trusted Root Certification Authority” within your domain environment.

Getting Started:

  1. Download the PKI Client software from PKI Manager.
  2. Install the PKI Client software on a single client machine and harvest the ADMX and ADML files needed for the configuration of your Group Policy Object (GPO) configuration.  Alternatively, both files are available below this article in the attachment section for your convenience.
    • Open the following local directory, “C:WindowsPolicyDefinitions” and copy the “SymPKIClient4.admx” file from the client computer and paste the ADMX file on the AD server “\<AD Server Name>C$WindowsPolicyDefinitions”.
    • Open the following local directory, “C:WindowsPolicyDefinitionsen” and copy the “SymPKIClient4.adml” file from the client computer and paste the ADML file on the AD server “\<AD Server Name>C$WindowsPolicyDefinitionsen”.
  3. Log on to the Active Directory server and configure the Symantec PKI Client group policy:
    • Open Group Policy Management
    • Create or edit a GPO
    • Expand Computer Configuration
    • Expand Policies
    • Expand Administrative Templates
    • Click on “Symantec PKI Client
    • Double-click on “Managed PKI Auto-Enrollment Settings” and click on enable
    • Under “Gateway URL:” type in the URL of your RA Service (e.g. https://hostname)
    • Check to make sure the port numbers match the EGW port number already configured.
    • Click on “Next Settings” above and configure the “PKI Client Agent Settings”.
    • Set the “Agent Scan Base Interval” to the desired amount of time and then adjust the “Agent Scan Maximum Random Offset” to the desired time and then click on OK.
  4. Log on to a single client system that falls under the GPO you just configured, open a command prompt, and then type “gpupdate /force”.
  5. Type in “rsop.msc” to display the Resultant Set of Policy. You should see all Symantec PKI Client policies applied.
  6. Open the Symantec PKI Client and click on the icon labelled “My Computer”.
  7. Verify that you have successfully enrolled for your certificate.
  8. Done!