An administrator may choose to enroll smart card certificates on behalf of another user. This requires issuing an "enrollment agent" certificate and adjusting a Smart Card Certificate template to require that certificate for enrollment.
To issue an enrollment agent certificate, follow first few steps of the article on setting up templates for self enrollment, but choose to duplicate the enrollment agent template instead.
Follow the steps to issue the template to the CA "Certificate Template" store, and request an Enrollment Agent certificate for yourself, or for another person authorized to create smart cards on behalf of the users.
Then duplicate a smart card template, just as in the article on setting up templates for self enrollment, but make the following changes to the Issuance Requirements tab of the template: Set the number of authorized signatures to 1, the policy type to "Application policy", and the application policy OID to "Certificate Request Agent". This will ensure that the template will be made available to users with the Enrollment Agent role.
Make sure to rename this template so that it is clear that this is an "enroll on behalf of" template, and issue it to the CA certificate store.
See the separate article on how to enroll the actual certificates on behalf of other users.
0 Comments