Setting up a Certificate Template to Enroll on behalf of other Users (Server 2008 R2)

An administrator may choose to enroll smart card certificates on behalf of a user. This requires issuing an "enrollment agent" certificate and adjusting the Smart Card Certificate template to require that certificate for enrollment.

To issue an enrollment agent certificate duplicate the enrollment agent template in the Active Directory Certificate Services plugin of the Server Manager.


Note: Make sure to set the security settings of the template so that Enrollment Agent (for example the Administrator) is permitted to Enroll the certificate. You may want to create an AD Group specifically for this purpose.

Add the enrollment agent template to the CA "Certificate Template" store. Bring up the Active Directory Certificate Authority plug in, and right click on "Certificate Templates". Select "New Certificate To Issue".

Select the template you have just created.

In order to be able to issue a smart card certificate on behalf of another user, you will have to modify the smart card issuance template.

Duplicate a smart card template, just as in  the article Setting up a Smart Card Template for Self-Enrollment, but make the following changes to the Issuance Requirements tab:

- Set the number of authorized signatures to 1,

- Set the policy type to "Application Policy",

- Set the application policy OID to "Certificate Request Agent"

This will ensure that the template will be made available to users with the Enrollment Agent role.


Note: Make sure to set the security settings of the template so that Enrollment Agent is permitted to Enroll the user with this certificate.

Make sure to rename this template so that it is clear that this is an "enroll on behalf of" template.  

Click Ok to save the changes to the template.

Note:  If you will be using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, (Option 2 for deployment from article Getting Started with PIVKey Management), you must map the PIV certificates.  This can be done using the PIVKey Tool or it can be done in the templates.  To do so in the templates, please see article Mapping a PIV Certificate using an OID, which explains how to set it up in the Extensions tab.


In order to issue the enrollment agent certificate, the user who will be enrolling others first needs to request the enrollment agent certificate by logging onto their machine and running the MMC, similar to the steps in the article Self-enrolling a Smart Card Certificate. Then see the next article on Enrolling a Smart Card certificate on behalf of another user


Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk