Enrolling a Smart Card certificate on behalf of another user

To enroll a smart card certificate on behalf of another user, make sure the smart card certificate templates on the CA have been set up to enable this, and make the user that will be doing the enrollment has an "Enrollment Agent" certificate issued to them.  (See articles on Setting up Certificate Templates to Enroll on behalf of other Users for the Windows Server version being used.)

The user doing the enrollment should be logged in.  Then run MMC.exe. The MMC console will appear.

mmc1.jpg

Select "Add Remove Snap" from the File menu. Select Certificates and then "My User account" or "Current User".  Note this may default for you.

mmc2.jpg

Right click the Certificate Current User / Personal / Certificate store, and select "Enroll on behalf of" from  All Tasks / Advanced Operations.

image032.jpg

Click through the "Before You Begin" screen, and, on the "Certificate Enrollment" screen, click the "Browse.." button and select the "Enrollment Agent"  certificate you have been issued.

 image033.jpg

(If no Enrollment Agent certificate is available you will need to request one be issued to you. See the end of Step 1 in the article Setting up Certificate Templates to Enroll on behalf of other Users (Server 21012 R2 & 2016).)

On the next page select the smart card enrollment certificate template you have duplicated and modified.

 image034.jpg

Click next and select the user for who you are enrolling the smart card certificate.

image035.jpg

Click next.  The following dialog may appear asking you to insert the user's smart card if it is not already inserted.

 image036.jpg

Enter the PIN.

 image037.jpg

If the enrollment is successful, the dialog will show the following:

image038.jpg

At this point, the smart card is ready to be used if you will be using the PIVKey Minidriver for deployment (Option 1 from the article PIVKey Deployment Overview).  Option 1 requires the PIVKey Minidriver User software be installed on all machines where the card will be used.

If you will be using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, for deployment (Option 2 from article PIVKey Deployment Overview), then you must map the PIV certificates (or they could have been set up to map using an OID in the certificate templates Extensions property tab, see Mapping a PIV Certificate using an OID).

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk