Active Directory Integration

Replace your Microsoft CA Without
losing the automation benefits

GlobalSign Auto Enrollment Gateway

Running a Microsoft CA is both resource intensive and costly. GlobalSign can greatly reduce these
burdens and provide significant efficiencies with all the same benefits and more. Our Auto Enrollment
Gateway (AEG) functions as a proxy between our WebTrust-audited SaaS-based CA and your Active
Directory environment. With AEG, you can still automate the enrollment, provisioning, and management
of digital certificates, but with a lower total cost of ownership for public key infrastructure, and reduced
risk of expensive business interruptions due to system outages of key management failures.

Microsoft CA

Keep the benefits of Microsoft
Certificate Services and AD

  • Automatically provision certificates to all
    domain-joined objects
  • Support a range of certificate templates
    and use cases
  • Control which objects receive which
    types of certificates by configuring AD
    Group Policies
GlobalSign SaaS CA

Replace your Microsoft CA
with GlobalSign SaaS CA

  • Liberate IT to focus on core competencies,
    rather than cryptography and CA tasks
  • Provision certificates to non-domain-joined
    objects and/or add public trust
  • GlobalSign manages the security, high
    availability, and CA operations, ensuring
    you meet SLAs and compliance audit

How AEG Works


The integration with Active Directory allows for quick and seamless certificate registration and
provisioning without sacrificing control. By configuring AD Group Policies, the administrator
dictates which users or machines are allowed which type of certificates, which are then issued
from GlobalSign's highly available and secure World Class CA.

Watch product video

AEG Features

AEG can be installed on Windows Server 2008 R2 and 2012 R2 and offers unique features and
functionality above and beyond what is included with a Microsoft CA. An intuitive user interface and
ability to provision certificates to non-domain-joined objects make it easy to centralize, automate,
and control all certificate activity across an organization.

Automated PKI Management

Automatically issue and manage certificates throughout their life cycle, including renewal, saving valuable IT resources and reducing the risk of expired certificates and resultant disruption in business workflows.


Outsourcing cryptography and certificate management services to a publicly trusted CA reduces the risk associated with managing and maintaining an in-house PKI operation and liberates IT to focus on core competencies and business-driving IT projects.

SCEP Server

Issue certificates to non-domain-joined objects (e.g., routers, mobile devices, non-Windows machines) using the SCEP server functionalities. Enrollment can take place using a manual enrollment website, or using a Mobile Device Management (MDM) platform linked directly to the SCEP server to issue certificates for their mobile devices.

Key Recovery and Archival

During the certificate enrollment process, the private key is securely sent to a designated local server as part of the certificate request and is archived there. Using key archival and recovery is essential for S/MIME use cases, and helps protect encrypted data from permanent loss in the event that the original encryption key is no longer available.

All Certificate Templates Supported

A wide range of pre-designed certificate templates support a variety of use cases, including S/MIME (with key archival and recover), smartcard logon, digital signatures for Microsoft Office documents, SSL, Encrypted File System (EFS), and user and machine authentication.

Optional Public Trust Available

If you need publicly trusted certificates (e.g., for sending digitally signed or encrypted emails outside the company), you can issue certificates from GlobalSign's publicly trusted root, rather than your hosted private root.

Pre-designed Certificate Templates Support a Range of Use Cases

The Auto Enrollment Gateway can be used to enroll and issue certificates to all types of Active
Directory objects, including users, servers, desktops, laptops, and Domain Controllers. A wide
range of pre-designed certificate templates support a variety of use cases, including:

Issue certificates to domain-joined servers. Because AEG issues from a private hosted root, certificates can contain local IP addresses.
MS Office
Document Signing
Replace paper-based workflows and enable electronic workflows with digital signatures for Microsoft Office documents.
Secure Email
Encrypt email communications and mitigate phishing threats by digitally signing internal emails, with the option to add public trust for external emails. Key recovery and archival are supported.
Replace passwords with cost-effective and user-friendly certificate-based authentication.
Mitigate the risk of rogue machines accessing your networks by limiting access to only machines and devices with properly configured certificates.
Digital certificates can be used on mobile devices for email encryption and signing, and authentication to email, VPNs, and Wi-Fi. GlobalSign has connectors with leading MDM providers to automate certificate provisioning.
Schedule a Demo 1-877-775-4562 or contact us online

Featured Resources