Previous page

Next page

Locate page in Contents

Create an Enrollment Agent Template

To create the Enrollment Agent template:

  1. From the Certificate Authority server, launch the Certificate Authority management console (MMC) from Administrative Tools.
  2. Expand the CA, right -click on the "Certificate Templates" folder and select Manage.
  3. Right-click the Enrollment Agent template and choose Duplicate Template. The new template properties window opens. On the General tab, configure the following properties:
    • Template display name: PrlsEnrollmentAgent
    • Template name: PrlsEnrollmentAgent
    • Validity period: 2 years
    • Renewal period: 6 weeks
    • Publish certificate in Active Directory: ON
    • Do not automatically re-enroll if a duplicate certificate exists in Active Directory: OFF

      Note: The display name can be any name you choose, however the template name must match the template name highlighted above.

    pic-031.png

  4. Select the Cryptography tab and set the following values:
    • Provider category: Legacy Cryptographic Service Provider (read-only).
    • Algorithm name: Determined by CSP
    • Minimum key size: 2048

    In the section Choose which cryptographic providers can be used for requests, choose Requests must use one of the following providers. In the following list of providers, clear all options except Microsoft Strong Cryptographic Provider and set priority as the preferred provider:

    [X] Microsoft Strong Cryptographic Provider

    [ ] Microsoft Enhanced Cryptographic Provider v 1.0

    [ ] Microsoft Base Cryptographic Provider v 1.0

    [ ] Microsoft Enhanced RSA and AES Cryptographic Provider

    pic-032.png

  5. Select the Security tab and do the following:
    • Click Add.
    • Add the enrollment agent user account.
    • Allow (select) the “Read” and “Enroll” permission. Click Apply and OK.

    pic-033.png

Issue the certificate template

To issue the certificate template that you've created:

  1. Run Certificate Authority again and right click on Certificate Templates, select new and click on Certificate Template to Issue.
  2. Select the certificate template you've created in the the previous steps (i.e. Prls Enrollment Agent) and click OK.
  3. The certificate template should appear in the Certificate Templates list.

Note: After creating the Enrollment Agent template and the Smartcard Logon template (described later), you should restart the Active Directory Certificate Services service in Windows.