Setting up a Certificate Template to Enroll on behalf of other Users (Server 2012 R2 & 2016)

Microsoft Certificate Authority (CA) provides basic smart card certificate templates. However, these standard Microsoft CA templates cannot be used as they are on Windows 2012 servers. They must be duplicated and configured first.  This section shows how to set up the Smart Card certificate templates on the server that can be used by an administrator to enroll smart card certificates on behalf of other users.

This requires two steps:  issuing an "enrollment agent" certificate and adjusting the Smart Card User or Logon template to require that certificate for enrollment.

Step 1:

To issue an enrollment agent certificate, duplicate and configure the Enrollment Agent template.  

First, go to the CA snap-in.  In the Server Manager, choose Tools, then Certification Authority. 


Expand your server name to reveal Certificate Folders.


Right click the Certificate Templates folder and choose Manage.


A new window opens with a list of templates will be in the middle pane. Right click the "Enrollment Agent" template and select "Duplicate Template".  


Next, adjust the properties of the new template.  Under the Compatibility tab, leave the 2003 settings chosen.  


Under the General tab, rename the template.


 Under the Request Handling tab, select Purpose: "Signature and smartcard logon".


Click through the resulting warning box as shown here.


Note that "Prompt the user during enrollment" gets selected after the warning box, leave that setting.

Under the Cryptography tab, change the minimum key size to 2048, select "Requests must use one of the following providers", and check the Microsoft Base Smart Card Crypto Provider.  


Under the Security tab, be sure the Enroll ability is set for the group or users who will be setting up the smart cards for logon (use the Add button to add groups or individual users).  You may want to create an AD Group specifically for this purpose.


Click OK to save the template. Close that window.


The Certificates Template folder contains all the templates assigned to the CA. Some templates are assigned to the CA by default, the new template needs to be issued to be added to the Certification Authority templates. Right click the Certificate Templates folder, choose New then Certificate Template to Issue.  Choose the template you just created and click Ok.


Select the certificate template you have just created. Click the Certificate Templates folder to check that the new certificate template is now visible in that folder.

In order to issue the enrollment agent certificate, the user who will be enrolling others needs to request the enrollment agent certificate by logging onto their machine and running the MMC, similar to the steps in the article Self-enrolling a Smart Card Certificate.

Step 2:

In order to be able to issue a smart card certificate on behalf of another user, the Smart Card User or Logon template needs to be adjusted to require the Enrollment Agent certificate for enrollment.

Duplicate and configure a Smart Card User or Logon template, detailed in  the article on setting up templates for self enrollment: Setting up a Smart Card Template for Self-Enrollment (Server 2012 R2 & 2016)

Then make the following changes to template properties under the Issuance Requirements tab:

- Set the number of authorized signatures to 1,

- Set the policy type to "Application Policy",

- Set the application policy OID to "Certificate Request Agent"�.

This will ensure that the template will be made available to users with the Enrollment Agent role.


Note: Be sure the Enroll ability is set for the group or users who act as the Enrollment Agents to set up the other users with this certificate.

Make sure to rename this template so that it is clear that this is an "enroll on behalf of" � template.

Next, the template needs to be assigned to the active Certification Authority.  This is done in the CA snap-in in the Server Manager in the same way as described above, choosing the new Certificate Template to Issue.

See the next article on Enrolling a Smart Card certificate on behalf of another user


Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk