Microsoft Certificate Authority (CA) provides basic smart card certificate templates. However, these standard Microsoft CA templates cannot be used as they are on Windows 2012 servers. They must be duplicated and configured first. This section shows how to set up the Smart Card certificate templates on the server that can be used by an administrator to enroll smart card certificates on behalf of other users.
This requires two steps: issuing an "enrollment agent" certificate and adjusting the Smart Card User or Logon template to require that certificate for enrollment.
To issue an enrollment agent certificate duplicate the enrollment agent template in the Active Directory Certificate Services plugin of the Server Manager.
Note: Make sure to set the security settings of the template so that Enrollment Agent (for example the Administrator) is permitted to Enroll the certificate. You may want to create an AD Group specifically for this purpose.
Add the enrollment agent template to the CA "Certificate Template" store. Bring up the Active Directory Certificate Authority plug in, and right click on "Certificate Templates". Select "New Certificate To Issue".
Select the template you have just created.
Click the Certificate Templates folder to check that the new certificate template is now visible in that folder.
In order to issue the enrollment agent certificate, the user who will be enrolling others needs to request the enrollment agent certificate by logging onto the enrollment station machine and running the MMC, similar to the steps in the article Self-enrolling a Smart Card Certificate.
In order to be able to issue a smart card certificate on behalf of another user, you will have to modify the smart card issuance template.
Duplicate a smart card template, just as in the article Setting up a Smart Card Template for Self-Enrollment, but make the following changes to the Issuance Requirements tab:
- Set the number of authorized signatures to 1,
- Set the policy type to "Application Policy",
- Set the application policy OID to "Certificate Request Agent"
This will ensure that the template will be made available to users with the Enrollment Agent role.
Note: Make sure to set the security settings of the template so that Enrollment Agent is permitted to Enroll the user with this certificate.
Make sure to rename this template so that it is clear that this is an "enroll on behalf of" template.
Click Ok to save the changes to the template.
Note: If you will be using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, (Option 2 for deployment from article PIVKey Deployment Overview), you must map the PIV certificates. This can be done using the PIVKey Tool or it can be done in the templates. To do so in the templates, please see article Mapping a PIV Certificate using an OID, which explains how to set it up in the Extensions tab.
In order to issue the enrollment agent certificate, the user who will be enrolling others first needs to request the enrollment agent certificate by logging onto their machine and running the MMC, similar to the steps in the article Self-enrolling a Smart Card Certificate. Then see the next article on Enrolling a Smart Card certificate on behalf of another user