Windows Certificate Auto-Enrollment

KeyGridEnrollment Gateway

A Windows service that bridges Microsoft native auto-enrollment to KeyGrid PKI. Replace ADCS without disrupting existing Group Policy workflows or installing agents on endpoints.

Zero Client Changes: Domain-joined Windows machines enroll through native GPO auto-enrollment, no agents or scripts required

Built for Windows Environments

Everything you need to replace ADCS enrollment while keeping the Windows experience unchanged

ADCS Replacement

Drop-in replacement for Active Directory Certificate Services enrollment without changing Group Policy or client configuration

  • Transparent migration from ADCS
  • No client-side changes required
  • Existing GPOs continue to work
  • Gradual rollout support

Protocol Translation

Converts Microsoft MS-XCEP/MS-WSTEP SOAP enrollment to standards-based EST (RFC 7030) for KeyGrid PKI

  • MS-XCEP policy endpoint
  • MS-WSTEP enrollment endpoint
  • EST (RFC 7030) backend calls
  • Transparent SOAP-to-REST bridging

Kerberos Authentication

Native SPNEGO/Kerberos authentication for domain-joined Windows devices without distributing credentials

  • SPNEGO/Negotiate handshake
  • Kerberos ticket validation
  • No distributed passwords or tokens
  • Integrated Windows Authentication

Template Sync

Syncs certificate templates from KeyGrid and filters by Active Directory group membership and device attributes via LDAP

  • Automatic template synchronization
  • AD group-based filtering
  • Device attribute matching via LDAP
  • Per-template enrollment policies

Single Binary

Ships as one Windows executable with a PowerShell installer script. No runtime dependencies, no frameworks required

  • Single .exe deployment
  • PowerShell install/uninstall script
  • Zero runtime dependencies
  • Windows Service registration

High Availability

Stateless architecture allows multiple instances behind DNS round-robin or a load balancer for seamless failover

  • Stateless request handling
  • DNS round-robin support
  • Load balancer compatible
  • Zero-downtime upgrades

Enterprise Audit

Comprehensive audit trail with dual logging to Windows Event Log and KeyGrid REST API for centralized visibility

  • Windows Event Log integration
  • KeyGrid REST API logging
  • Enrollment success/failure tracking
  • Template and policy audit events

Multi-Domain & Forest

Supports single domain, multi-domain, and cross-forest trust configurations for complex Active Directory topologies

  • Single domain mode
  • Multi-domain within a forest
  • Cross-forest trust support
  • Selective authentication trust
Enrollment Flow

How It Works

KEG sits between Windows clients and KeyGrid PKI, translating Microsoft enrollment protocols to EST

01

Windows Client

Group Policy triggers auto-enrollment via MS-XCEP/MS-WSTEP

02

KEG Service

Validates Kerberos ticket, checks AD group membership via LDAP

03

Protocol Translation

Converts SOAP request to EST (RFC 7030) enrollment call

04

KeyGrid PKI

Issues certificate per template policy, returns to client

No Credentials on the Wire

KEG uses Kerberos tickets that the Windows client already possesses from domain join. No passwords, API keys, or enrollment tokens are distributed to endpoints. Authentication is verified against Active Directory in real time.

Enterprise Use Cases

Certificate enrollment scenarios where KEG replaces or extends Active Directory Certificate Services

Windows Device Auto-Enrollment

Replace Microsoft ADCS with KeyGrid while keeping the native Windows auto-enrollment experience unchanged for end users

  • GPO-driven certificate enrollment
  • Machine and user certificate support
  • Automatic renewal before expiry
  • No end-user interaction required

Group Policy Certificate Deployment

Deploy certificates via existing Group Policy infrastructure without modifying GPOs or client configuration

  • Existing GPO compatibility
  • Template-based enrollment
  • OU and group scoping
  • Staged rollout by AD group

BYOD & Hybrid Join Enrollment

Enroll certificates for hybrid Azure AD-joined and BYOD devices connecting to the corporate network

  • Hybrid Azure AD join support
  • Workplace-joined devices
  • Certificate-based Wi-Fi access
  • Conditional access integration

Network Device Enrollment (802.1X)

Issue certificates for 802.1X wired and wireless authentication across enterprise network infrastructure

  • EAP-TLS machine certificates
  • RADIUS server integration
  • Dynamic VLAN assignment
  • Network access control

Deploy in Minutes

A single binary and a PowerShell script. No agents, no frameworks, no complex infrastructure

What You Deploy

keg.exe - Single Windows service binary
install.ps1 - PowerShell installer/uninstaller
keg.yaml - Configuration file (KeyGrid URL, domain, templates)
TLS certificate - Server cert for HTTPS enrollment endpoint

What You Keep

Existing GPOs - No Group Policy changes needed
Windows autoenroll - Native certlm.msc / certmgr.msc experience
AD group structure - Template filtering uses existing groups
Certificate templates - Managed centrally in KeyGrid
Event logging - Standard Windows Event Log integration

Replace ADCS, Keep the Experience

KeyGrid Enrollment Gateway bridges Windows auto-enrollment to modern PKI. One binary, Kerberos auth, zero client changes. Deploy alongside ADCS or replace it entirely.