It is not always possible for users to enroll for a certificate on their own behalf. This can be the case for a user smart card certificate. By default, only domain administrators are granted permission to request a certificate on behalf of another user. However, a user other than a domain administrator can be granted permission to become an enrollment agent. A user becomes an enrollment agent by enrolling for an Enrollment Agent certificate.
Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies for these certificates.
Membership in the Users group and an Enrollment Agent certificate are the minimum requirements to complete this procedure. Review the details in "Additional considerations" in this topic.
|To enroll for a certificate on behalf of other users|
Open the Certificates snap-in for a user.
In the console tree, expand the Personal store, and then click Certificates.
On the Action menu, point to All Tasks, point to Advanced Operations, and then click Enroll on behalf of to open the Certificate Enrollment wizard. Click Next.
Browse to the Enrollment Agent certificate that you will use to sign the certificate request that you are processing. Click Next.
Select the type of certificate that you want to enroll for. When you are ready to request a certificate, click Enroll.
After the Certificate Renewal Wizard has successfully finished, click Close.
- User certificates can be managed by a user or
by an administrator. To open the Certificates snap-in, see Add the Certificates
Snap-in to an MMC.