Microsoft Certificate Authority (CA) provides basic smart card certificate templates. However, these standard Microsoft CA templates cannot be used as they are on Windows 2012 servers. They must be duplicated and configured first. This section shows how to set up the Smart Card certificate templates on the server that can be used by an administrator to enroll smart card certificates on behalf of other users.
This requires two steps: issuing an "enrollment agent" certificate and adjusting the Smart Card User or Logon template to require that certificate for enrollment.
To issue an enrollment agent certificate, duplicate and configure the Enrollment Agent template.
First, go to the CA snap-in. In the Server Manager, choose Tools, then Certification Authority.
Expand your server name to reveal Certificate Folders.
Right click the Certificate Templates folder and choose Manage.
A new window opens with a list of templates will be in the middle pane. Right click the "Enrollment Agent" template and select "Duplicate Template".
Next, adjust the properties of the new template. Under the Compatibility tab, leave the 2003 settings chosen.
Under the General tab, rename the template.
Under the Request Handling tab, select Purpose: "Signature". (Note that if you choose to prompt user during enrollment, and have the Enrollment Agent certificate on a smart card, during enrollment for the other user, you'll be prompted to insert the Enrollment Agent card and PIN, and the other (new) user's card and PIN, possibly multiple times. If you don't pay careful attention to the prompts, you may end up placing the other user's certificate onto the Enrollment Agent's smart card inadvertently.)
Click through the resulting warning box as shown here.
Note that "Prompt the user during enrollment" gets selected after the warning box, leave that setting.
Under the Cryptography tab, change the minimum key size to 2048, select "Requests must use one of the following providers", and check the Microsoft Base Smart Card Crypto Provider. (Note that this setting will put the Enrollment Agent certificate onto the smart card. To set up the template for the Enrollment Agent certificate to simply be issued to the user account, see Setting up a Certificate Template to Enroll on behalf of other Users Server 2008 R2)
Under the Security tab, be sure the Enroll ability is set for the group or users who will be setting up the smart cards for logon (use the Add button to add groups or individual users). You may want to create an AD Group specifically for this purpose.
Click OK to save the template. Close that window.
The Certificates Template folder contains all the templates assigned to the CA. Some templates are assigned to the CA by default, the new template needs to be issued to be added to the Certification Authority templates. Right click the Certificate Templates folder, choose New then Certificate Template to Issue. Choose the template you just created and click Ok.
Select the certificate template you have just created. Click the Certificate Templates folder to check that the new certificate template is now visible in that folder.
In order to issue the enrollment agent certificate, the user who will be enrolling others needs to request the enrollment agent certificate by logging onto their machine and running the MMC, similar to the steps in the article Self-enrolling a Smart Card Certificate.
In order to be able to issue a smart card certificate on behalf of another user, the Smart Card User or Logon template needs to be adjusted to require the Enrollment Agent certificate for enrollment.
Duplicate and configure a Smart Card User or Logon template, detailed in the article on setting up templates for self enrollment: Setting up a Smart Card Template for Self-Enrollment (Server 2012 R2 & 2016)
Then make the following changes to template properties under the Issuance Requirements tab:
- Set the number of authorized signatures to 1,
- Set the policy type to "Application Policy",
- Set the application policy OID to "Certificate Request Agent"�.
This will ensure that the template will be made available to users with the Enrollment Agent role.
Note: Be sure the Enroll ability is set for the group or users who act as the Enrollment Agents to set up the other users with this certificate.
Make sure to rename this template so that it is clear that this is an "enroll on behalf of" � template.
Next, the template needs to be assigned to the active Certification Authority. This is done in the CA snap-in in the Server Manager in the same way as described above, choosing the new Certificate Template to Issue.
Note: If you will be using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, (Option 2 for deployment from article Getting Started with PIVKey Management), you must map the PIV certificates. This can be done using the PIVKey Tool or it can be done in the templates. To do so in the templates, please see article Mapping a PIV Certificate using an OID, which explains how to set it up in the Extensions tab.
See the next article on Enrolling a Smart Card certificate on behalf of another user