Enrolling a Smart Card certificate on behalf of another user

To enroll a smart card certificate on behalf of another user, make sure the smart card certificate templates on the CA have been set up to enable this, and make the user that will be doing the enrollment has an "Enrollment Agent" certificate issued to them.  (See articles on Setting up Certificate Templates to Enroll on behalf of other Users for the Windows Server version being used.)

The user doing the enrollment should be logged in.  Then run MMC.exe. The MMC console will appear.

mmc1.jpg

Select "Add Remove Snap" from the File menu. Select Certificates and then "My User account" or "Current User".  Note this may default for you.

mmc2.jpg

Right click the Certificate Current User / Personal / Certificate store, and select "Enroll on behalf of" from  All Tasks / Advanced Operations.

image032.jpg

 

Click through the "Before You Begin" screen, and, on the "Certificate Enrollment" screen, click the "Browse.." button and select the "Enrollment Agent" certificate you have been issued.

 image033.jpg

(If no Enrollment Agent certificate is available you will need to request one be issued to you.  See the end of Step 1 in the article Setting up Certificate Templates to Enroll on behalf of other Users (Server 21012 R2 & 2016).)

On the next page select the smart card enrollment certificate template you have duplicated and modified.

 image034.jpg

 

Click next and select the user for whom you are enrolling the smart card certificate.

image035.jpg

Click next.  The following dialog may appear asking you to insert the user's smart card if it is not already inserted.

 image036.jpg

Enter the user PIN.

 image037.jpg

If the enrollment is successful, the dialog will show the following:

image038.jpg

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk