Configure a Certificate for Enroll on Behalf of (Optional)

This step only needs to be completed if you're using an enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). agent certificate for enroll on behalf of (EOBO A user with an enrollment agent certificate can enroll for a certificate on behalf of another user. This is often used when provisioning technology such as smart cards.) functionality.

First, determine whether you will be enrolling for certificates in a user context or a computer context—in other words, whether your enrollment agent certificate will reside in the local machine store on the machine from which the enrollment will take place or the request agent user's personal store. You will need a Microsoft template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. appropriate to the context (e.g. a copy of either the “Enrollment Agent” or “Enrollment Agent (Computer)” template). You will also need to identify a Microsoft template that will be used for the actual EOBO request. This is typically a copy of the “User” template with additional issuance requirements of:

This number of authorized signatures: 1
Policy type required in signature: Application policy
Application policy: Certificate Request Agent

Figure 737: Configure a Template for Enroll on Behalf of Requests

Contact your Keyfactor Customer Success Manager or support if you need assistance creating an appropriate enrollment agent template or appropriate EOBO template.

In EJBCA, you will need two appropriate certificate profiles to which to map the Microsoft templates for enrollment agent certificates and EOBO requests. For a Keyfactor-managed instance of EJBCA, this should be configured for you. Work with your Keyfactor Customer Success Manager to determine which EJBCA certificate templates should be mapped to your Microsoft templates to assure that you are using an EJBCA certificate profile that has been correctly configured with the certificate request agent EKU for your enrollment agent certificates and a certificate profile that has been correctly configured to build the subject from Active Directory for your EOBO requests.

Once you have your templates identified and fully configured in Keyfactor Command, use the gateway configuration wizard to map the Microsoft templates to the EJBCA templates.

Figure 738: Enable Issuance for the Enrollment Agent and EOBO Templates in the Gateway Configuration Tool

You can acquire an enrollment agent certificate in a number of different ways:

Generate a CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. and private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. on the machine on which you want to do an EOBO, use the CSR enrollment function in the Keyfactor Command Management Portal, return to the machine with the resulting certificate and marry that certificate with the private key.
Use the PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment function in the Keyfactor Command Management Portal and import the resulting PFX on the machine on which you want to do an EOBO.
From the machine on which you want to do an EOBO, use the Microsoft MMC to request a certificate.
From the machine on which you want to do an EOBO, use certreq commands.

Enroll for an Enrollment Agent Certificate using the Microsoft MMC

The following instructions cover acquiring a certificate using the Microsoft MMC. Whichever method you choose, if you are using a certificate in the local machine store, you must do the final step of granting private key permissions to the user performing the EOBO.

To enroll for an enrollment agent certificate using the Microsoft MMC:

On each server on which you wish to acquire an enrollment agent certificate, do one of the following:
- Using the GUI:
  1. Open an empty instance of the Microsoft Management Console (MMC).
  2. Choose File->Add/Remove Snap-in….
  3. In the Available snap-ins column, highlight Certificates and click Add.
  4. In the Certificates snap-in popup, choose one of the following radio buttons:
    - Computer account—If you're enrolling for a certificate that will live in the local computer store.
    - My user account—If you're enrolling for a certificate that will live in the user's personal store.
    Click Next, accept the default of Local computer, and click Finish or just Finish if you selected the user store.
  5. Click OK to close the Add or Remove Snap-ins dialog.
- Using the command line:
  1. Open a command prompt:
    - Use the "Run as administrator" option if you're enrolling for a certificate that will live in the local computer store.
    - Do not use the "Run as administrator" option if you're enrolling for a certificate that will live in the user's personal store.
  2. Within the command prompt type one of the following to open the certificates MMC:
    - If you're enrolling for a certificate that will live in the local computer store:
      
      certlm.msc
    - If you're enrolling for a certificate that will live in the user's personal store:
      
      certmgr.msc
Drill down to the Personal folder under Certificates, right-click, and choose All Tasks->Request New Certificate….
Follow the certificate enrollment wizard, selecting your enrollment agent template. If your enrollment agent template is set to Supply in the request for the subject name, you will need to provide information for the certificate subject.

Grant Private Key Permissions to the Certificate

If you opted to enroll for a certificate into the local computer store, you will need to grant the user or other account that will enroll for certificates on behalf of another user access to the private key of the enrollment agent certificate to allow that user to make use of the certificate.

The user completing this step needs to be a member of the machine local administrators group.

To grant the enrollment agent private key permissions on the enrollment agent certificate in the local machine store:

When the enrollment completes, if you placed the certificate in the local machine store, locate the certificate in the Personal store (you may need to refresh), highlight it, and choose All Tasks->Manage Private Keys….
In the Permissions for private keys dialog, click Add, add the account that will be making the EOBO certificate requests, and grant it Read but not Full control permissions. Click OK to save.

Tip: Certificates in the local user store already grant the user owning the certificate private key permissions to the certificate, so this step is not required for certificates enrolled into the user's personal store.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: