Users can obtain certificates as needed by using the Certificate Request Wizard to request a certificate based on a certificate template. Before they can do this, you must enable the certificate template for these operations.

To properly configure subject enrollment, the administrator must plan the appropriate certificate template or templates to use. Several settings in the certificate template directly affect the behavior of certificate enrollment. For more information on these settings, see:

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To allow subjects to request a certificate that is based on a template
  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the Security tab, add the groups, computers, or users from which you want to allow certificate requests.

  4. In Group or user names, click one of the new objects, and then, on Permissions for ObjectName, under the Allow column, select the Read and Enroll check boxes.

  5. Repeat the previous step for each new object.