2

I'm trying to setup S/MIME for a few users, which requires certificates. I'm not using smartcards, and not using autoenrollment for these certificates. Server is running 2012R2.

I created a template that works fine when I manually request a certificate in the certificates mmc All Tasks -> Request Certificate

But for some users IT staff will have to create their certificates for them and deliver them on a USB drive or something. So I want to also be able to use All Tasks -> Advanced Operations -> Enroll on Behalf of. I have the appropriate Certificate Request Agent certificate, so I should be able to do that.

But my S/MIME certificate template doesn't show up in the list of available templates. Instead it says The certificate template requires too many RA signatures. Only one RA signature is allowed. Multiple request agent signatures are not permitted on a certificate request"

This seems to be related to issuance requirements in the template. If I check This number of authorized signatures and set it to 1, I can use enroll on behalf of. But I seem to lose the ability for people to request the certificate on their own.

Is there a way to allow users to request their own certificate, or an admin to request one on their behalf? Am I just supposed to use two different certificate templates for this?

Grant
  • 17,671
  • 14
  • 69
  • 101

1 Answers1

3

You cannot use the same template for direct enrollment and for "enroll on behalf of" operations. You have to use two separate templates.

Edit 31.10.2015:

The whole purpose of "Enroll On Behalf Of" functionality is to direct users through registration authority (RA) where certificate issuance is approved and registered (somewhere). For example, a company decided to issue smart cards to users. Company designates a highly trusted person who will act as an enrollment agent. Prior to issue certificate, an enrollee must be instructed about smart card usage, how to act in special cases (when the card is stolen, lost, damaged, etc.). During this procedure (usually during face-to-face interviews), an enrollee signs related documents and enrollment agent registers smart card (binds card's serial number to a user, for example).

Technically this procedure is accomplished by adding an additional signature to certificate request. That is, if certificate request requires additional signature (enrollment agent signature)m then users MUST go through registration authority to get the certificate.

Otherwise, users could get certificate on their own, without having to pass registration process, thus compromising entire registration authority purpose. And this is why you have to use different templates, where first template is used only with registration authority (critical certificates) and second one where users can enroll certificate on their own (non-critical certificates).

HTH

Crypt32
  • 6,414
  • 1
  • 13
  • 32
  • Based on your post history, it certainly looks like you know what you are talking about. Do you have any technet articles you could link to that explain why it's necessary? I couldn't really find anything authoritative. – Grant Oct 30 '15 at 14:18
  • please, see my today's edit. – Crypt32 Oct 31 '15 at 13:25
  • thanks for the detailed explanation! Seems Enroll on Behalf Of isn't really what I wanted it to be. – Grant Oct 31 '15 at 15:01