To enroll a smart card certificate on behalf of another user, make sure the smart card certificate templates on the CA have been set up to enable this, and make the user that will be doing the enrollment has an "Enrollment Agent" certificate issued to them. (See articles on Setting up Certificate Templates to Enroll on behalf of other Users for the Windows Server version being used.)
The user doing the enrollment should be logged in. Then run MMC.exe. The MMC console will appear.
Select "Add Remove Snap" from the File menu. Select Certificates and then "My User account" or "Current User". Note this may default for you.
Right click the Certificate Current User / Personal / Certificate store, and select "Enroll on behalf of" from All Tasks / Advanced Operations.
Click through the "Before You Begin" screen, and on the "Certificate Enrollment" screen, click the "Browse..." button and select the "Enrollment Agent" certificate you have been issued.
(If no Enrollment Agent certificate is available you will need to request one be issued to you. See the end of Step 1 in the article Setting up Certificate Templates to Enroll on behalf of other Users (Server 21012 R2 & 2016).)
On the next page select the smart card enrollment certificate template you have duplicated and modified.
Click next and select the user for whom you are enrolling the smart card certificate.
Click next. The following dialog may appear asking you to insert the user's smart card if it is not already inserted.
NOTE: if the Enrollment Agent certificate is on the EA's smart card, during enrollment for the other user, you'll be prompted to insert the Enrollment Agent card and PIN, and the other (new) user's card and PIN, possibly multiple times, thus swapping the cards in and out of the reader. If you don't pay careful attention to the prompts, you may end up placing the other user's logon certificate onto the Enrollment Agent's smart card inadvertently.
Enter the user PIN.
If the enrollment is successful, the dialog will show the following:
0 Comments