Create the Enrollment Agent Certificate Request

Use the following method to enroll for an initial enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). agent certificate if you're planning to use the certificate for CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. validation (see Configure the Enrollment Agent Certificate (Optional)). If you're enrolling for enrollment agent certificates for use with enroll on behalf of functionality, you can wait to enroll for these until your gateway is fully installed and then enroll for these through your gateway (see Configure a Certificate for Enroll on Behalf of (Optional)).

To create the request (CSR) to generate the enrollment agent certificate:

  1. Open the Certificates MMC Snap-In for the Local Computer store on the gateway machine. One way to do this is to open an administrative command prompt and execute the following command:

    certlm.msc

  2. Right-click on the Personal folder under Certificates (Local Computer) and choose All Tasks->Advanced Operations->Create Custom Request....
  3. On the Before you Begin page of the Certificate Enrollment wizard, click Next.
  4. On the Select Certificate Enrollment Policy page, highlight Proceed without enrollment policy under Custom Request and click Next.
  5. On the Custom request page, select (No template) Legacy key in the Template dropdown and choose a Request format of PKCS #10. Click Next.
  6. On the Certificate Information page, click the Details down arrow to open details for the custom request and click Properties.
  7. In the Certificate Properties dialog on the Subject tab, in the Subject name section select a Type of Common name, enter a common nameClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). that contains your domain name (e.g. Keyfactor Enrollment Gateway for yourlocaldomain.com) and click Add.
  8. In the Certificate Properties dialog on the Private KeyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. tab, click the Key options down arrow to open the configuration options for the key. Choose 2048 in the Key size dropdown. Do not check any of the boxes in this section. The private key should not be exportable. Click OK to close the Certificate Properties dialog.
  9. Back on the Certificate Information page, click Next.
  10. On the “Where do you want to save the offline request?” page, provide a file name for the request, click Browse... to choose a location in which to save it, and select the Base 64 radio button for the File format. Click Finish.
  11. Submit your CSR to Keyfactor for signing.
Tip:  Once the gateway is up and running, you will be able to make requests for renewed enrollment agent certificates through the gateway using the Keyfactor Command Management Portal, the Microsoft MMC, or certreq commands. If you plan to use the Keyfactor Command Management Portal, you can either generate the CSR as described above, use the CSR enrollment method in the Management Portal, and then marry the private key with the certificate as per Import the Enrollment Agent Certificate or use the PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment method in the Management Portal and import the certificate and private key. You will need a templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. that has an extended key usage (EKU) of Certificate Request Agent and which supports Supply in the request for the subject name if you wish to use a custom name (e.g. a copy of the built-in Enrollment Agent (Computer) template configured on the Subject Name tab for Supply in the request).