Monday, January 4, 2010

Enrollment Agent

To be able to request a certificate on behalf of other users and computers, you need an enrollment agent certificate. In Windows 2008, you can further restrict the enrollment agents for certain operations.

Step 1: Publish the enrollment certificate template.
Login with Enterprise Admin or CA admin. Open "mmc" and add the certificate template snap-in. Duplicate the enrollment agent template, and set its security properties (i.e. permit your enrollment security group). Open up CA console, right click on sub-folder "Certificate Template" -> New -> Certificate Template to Issue.

Step 2: Enroll the enrollment agent
Login with your enrollment agent account, open "mmc", add Certificate snap-in and select "My user account". Right click on personal folder -> Request new certificate to request for an enrollment agent certificate. Optionally, you may wish to restrict the enrollment agents to under certain constraints (e.g. only enroll certain user groups etc) on the CA properties.

Step 3: Set Issuance Requirements on the Target Cert Template
On the target cert template (whose certs are to be enrolled by enrollment agents), set the "This number of authorized signature" to "1". Otherwise, the certs won't be able to be enrolled by the agents.

Step 4: Enroll on behalf of ..
On the enrollment machine, login with your enrollment agent account and open the Certificate template. Right click on personal folder -> All tasks -> Advanced Operations -> Enroll on behalf of.. And just follow the wizard instruction. Ensure that the enrollment agent certificate is also present on the machine (e.g. smart cards or cert store).

For more detailed step-by-step, check out this blog.

1 comment: