• Backup and restore a certificate authority (CA)
• Buy smart cards and log in via them

6. Restrict enrollment agents

Since Windows Server 2008, you have the ability to restrict what enrollment agents can do (if desired).

To do this, in your "Certification Authority" console, right-click "Properties".

In the properties window that appears, go to the "Enrollment Agents" tab.
As you can see, by default, the option "Do not restrict enrollment agents".

Permissions are therefore managed only on the certificate templates you create and whether or not a user has a currently valid enrollment agent certificate.

If you select the "Restrict enrollment agents" option, a warning will be displayed to warn you that these restrictions only apply to certification authorities on Windows Server 2008 or later.

Plain Text

Restrictions on delegated enrollment agents can only be enforced on Windows Server 2008 CAs and later.
Before designating delegated enrollment agents, make sure your enrollment agent policy is appropriate for your PKI environment.

As you can see, by default, all enrollment agents can enroll certificates using any certificate templates for which they have "Enroll" permission to issue them to any users they wish.
To allow only some enrollment agents to enroll certificates through your CA, start by clicking "Add" for the 1st section (Enrollment Agent).

Warning : for each of the 3 sections available in this tab, you must always add at least one other option if you want to delete the one present by default.
Otherwise, the option "Do not restrict enrollment agents" will be selected automatically and you will lose the changes made in the various sections of this tab.

Provide the name of the enrollment agent or a group of enrollment agents (if applicable) that you want to allow to enroll certificates through your certification authority, then click OK.

The added enrollment agent or enrollment agent group appears in the list of enrollment agents authorized to enroll certificates through your certification authority.

Now that you've restricted the authorized enrollment agents, remove the default "Everyone" group from this list.

To prevent your enrollment agents from issuing certificates using whatever certificate templates they have access to, you can limit the templates they can use.
To do this, for the "Certificate Templates" section, click on the "Add" button.

Select the certificate template that your agents can issue to your users and click OK.

Once you've added the template(s) you want to allow for certificate enrollment by your enrollment agents, remember to remove the default "<All>" value.

Finally, you can choose which users or groups of users your agents can enroll certificates for.
To do this, for the "Permissions" section, click on "Add".

Specify the name of a user or user group and click OK.

The desired user or group of users appears in the list of permissions.
As before, don't forget to remove the "Everyone" group so that the restriction is correctly applied.

In our case, our "IWAgent" agent will only be able to issue certificates based on our "Smartcard Logon v2" certificate template to all users in our Active Directory domain.