Self Service+ can also get certificates from an Active Directory Web Certificate Authority (CA) using Kerberos authentication. If configured, Self Service+ creates a certificate signing request (CSR) and submits it to the URL specified in your Self Service+ configuration profile using the certificate template supplied there. If successful, Self Service+ places the signed certificate into the user’s keychain.
To get certificates, users must trust the CA’s SSL certificate.
By default, Self Service+ creates a key-value pair for the CSR and marks it as non-exportable from the user’s keychain. This can be turned off in the preference file. Self Service+ automatically renews the certificate, if the most recent certificate for that user has less than 30 days of validity left.