Setting up a Certificate Templates to Enroll on behalf of other Users

An administrator may choose to enroll smart card certificates on behalf of a user. This requires issuing an "enrollment agent"� certificate and adjusting the Smart Card Certificate template to require that certificate for enrollment.

To issue an enrollment agent certificate, follow the article on setting up templates for self enrollment. but duplicate the enrollment agent template.


Add the template to the CA "Certificate Template" store, and issue a template to yourself, or to another person authorized to create smart cards on behalf of the users.

Then duplicate a smart card template, just as in  the article on setting up templates for self enrollment, but make the following changes to the issuance requirement: Set the number of authorized signatures to 1, the policy type to "application Policy", and the application policy OID to "Certificate Request Agent"�. This will ensure that the template will be made available to users with the Enrollment Agent role.


 Make sure to rename this template so that it is clear that this is an "enroll on behalf of" � template, and add it to the CA certificate store.

See the separate article on how to enroll the actual certificates on behalf of other users.

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk