- Windows Server
- AD CS
- 12 January 2024 at 10:03 UTC
-
- 1/3
With Active Directory Certificate Services, you can obtain a certificate for your server, computer, or user automatically (through auto-enrollment) or manually through the "mmc" console.
However, you can also create a user (called "Enrollment Agent") who will be authorized to enroll certificates for other users.
This is very useful if you want to provide smart cards to your users in which the certificates registered by the enrollment agent on behalf of your users can be quickly stored.
- Create a user who will act as an enrollment agent
- Create a new certificate template : Enrollment Agent
- Apply for an enrollment agent certificate
- Create a new certificate template : Smartcard Logon
- Request a certificate : Smartcard Logon
- Restrict enrollment agents
1. Create a user who will act as an enrollment agent
Any Active Directory user can become an enrollment agent.
It therefore doesn't need administrator rights, for example.
In our case, we created a new user that we named : IWAgent.
As you can see, it's a simple domain user.
2. Create a new certificate template : Enrollment Agent
To get started, open the "Certification Authority" console and right-click "Manage" on : Certificate Templates.
Right-click "Duplicate Template" on the "Enrollment Agent" certificate template.
Specify "Enrollment Agent v2" (for example) as the display name for this template.
In the "Security" tab, click on the "Add" button.
Provide the name of the user you created and want to use as the enrollment agent and click OK.
Grant it "Read" and "Enroll" rights to allow it to enroll (obtain) an enrollment agent certificate.
This certificate will allow him to enroll other certificates to users on their behalf.
Click OK.
The newly created certificate template appears in the list.
Finally, right-click on the "Certificate Templates" folder and click on : New -> Certificate Template to Issue.
Select the newly created certificate template (in our case : Enrollment Agent v2) and click OK.
The new model of certificate to be issued appears.
3. Apply for an enrollment agent certificate
Connect to one of your servers or computers that are members of your Active Directory domain with the user authorized to enroll a certificate using the new "Enrollment Agent v2" certificate model.
Launch a "mmc" console and click : File -> Add/Remove Snap-in.
Select the "Certificates" component and click : Add.
Then, click OK.
Right click "All Tasks -> Request New Certificate" on your "Personal" certificate store.
Select your new "Enrollment Agent v2" certificate template and click "Details", then "Properties" if you want to add a friendly name in the certificate that will be enrolled (issued).
In the "General" tab, you can add a friendly name if you want, then click OK.
Click on "Enroll".
Your registration agent certificate has been enrolled.
Click Finish.
In your "Personal" certificate store, you will find your new enrollment agent certificate whose intended role is : Certificate Request Agent.
If you open this certificate and select the "Enhanced Key Usage" field, you will see this : Certificate Request Agent (1.3.6.1.4.1.311.20.1).
Share this tutorial
To see also
-
Windows Server 12/22/2023
WS 2016 - AD CS - Deploy a multi-site PKI infrastructure
-
Windows Server 10/13/2023
WS 2016 - AD CS - Enable and use automatic certificate enrollment
-
Windows Server 12/8/2023
WS 2016 - AD CS - Install and configure a root CA and a secondary CA
-
Windows Server 9/29/2023
WS 2016 - AD CS - What is a certificate template ?
You must be logged in to post a comment