Now that you have an enrollment agent certificate, you can generate certificates for your users.
For this tutorial, we will simulate enrolling certificates used to log in with a smart card, because it's common for an enrollment agent to enroll certificates to write them to smart cards to be issued to employees of a company.
To do this, in the "Certification Authority" console, right-click "Manage" on the "Certificate Templates" folder.
Right-click "Duplicate Template" on the "Smartcard Logon" certificate template.
Specify a name for this new certificate template.
For example : Smartcard Logon v2.
In the "Security" tab, click on : Add.
Provide the name of your enrollment agent and click OK.
Grant "Read" and "Enroll" rights to your enrollment agent.
Indeed, it's your enrollment agent who will enroll the certificates for your users.
So, he is the one who must have the "Enroll" right.
In the "Issuance Requirements" tab, you will see that no option is configured by default.
Before you can enroll certificates for your users as an enrollment agent using this certificate template, you must configure the options as shown below.
Otherwise, an error regarding the number of authorized signatures will occur in the "mmc" console.
Click OK.
Your new certificate template appears in the list.
As usual, don't forget to add the new certificate template to the list of certificate templates to issue.
To do this, right-click "New -> Certificate Template to Issue" on the "Certificate Templates" folder.
Select the "Smartcard Logon v2" certificate template you just created and click OK.
The new certificate template appears in the list of certificate templates to be issued.
In our case, we have created an "InformatiUser" user.
To request (enroll) certificates for your users as an enrollment agent, open the "mmc" console on the computer or server where you are logged in as the enrollment agent and add the "Certificates" component for the current user.
Then, right-click "All Tasks -> Advanced Operations -> Enroll On Behalf Of..." on the "Personal" certificate store.
At the "Select Enrollment Agent Certificate" step, click the "Browse" button.
Confirm the choice of your enrollment agent certificate.
Once the enrollment agent signing certificate is selected, click : Next.
Select the "Smartcard Logon v2" certificate template to request a certificate for one of your users and click Next.
If this certificate template doesn't appear in your case in this "Certificate Enrollment" wizard, click on "Show all templates" to get information about the problem.
Indeed, it's possible that the error is :
Plain Text
1 2 | The certificate template requires too many RA signatures. Only one RA signature is allowed. Multiple request agent signatures are not permitted on a certificate request. |
To solve this problem, go to the "Issuance Requirements" tab of your new "Smartcard Logon v2" certificate template and configure the options as explained previously (in step "4. Create a new certificate template : Smartcard Logon").
Then, this problem will not occur again.
Once the "Smartcard Logon v2" certificate template has been selected, you will need to specify for which user you wish to enroll a certificate in their name.
To specify a user, you must specify his username or : [domain name]\[username].
You can also select a user from your Active Directory domain by clicking the "Browse" button.
By default, the search will be performed on the local server or computer (as you can see in the "From this location" box).
However, we want to generate a certificate for a user of our Active Directory domain.
To do this, click on : Locations.
Select your Active Directory domain and click OK.
Then, enter the username of the desired user and click : OK.
The desired user appears in the "User name or alias" box of the wizard.
Click on Enroll.
Once the certificate is enrolled, click on "Details", then on "View certificate" (if you wish).
Otherwise, click Close.
The new certificate enrolled for the desired user appears in your "Personal" certificate store (thus that of the enrollment agent).
If you open this new certificate by double-clicking on it, you will see that this certificate is designed for the following roles :
You will also see that it was delivered to the desired user despite you (the enrollment agent) requesting it.
If you go to the "Details" tab and select the "Subject" field, you will see the user's name (along with their LDAP location) appear.
If you select the "Enhanced Key Usage" field, you will see this appear :
Plain Text
1 2 | Smart Card Logon (1.3.6.1.4.311.20.2.2) Client Authentication (1.3.6.1.5.5.7.3.2) |
Articles 1/26/2024
Articles 9/8/2023
Windows Server 12/29/2023
Windows Server 1/19/2024
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
No comment