Create an Enrollment Agent template

To create the Enrollment Agent template:

  1. From the Certificate Authority server, launch the Certificate Authority management console (MMC) from Administrative Tools.
  2. Expand the CA, right -click on the "Certificate Templates" folder and select Manage.
  3. Right-click the Enrollment Agent template and choose Duplicate Template. The new template properties window opens. On the General tab, configure the following properties:
    • Template display name: PrlsEnrollmentAgent
    • Template name: PrlsEnrollmentAgent
    • Validity period: 2 years
    • Renewal period: 6 weeks
    • Publish certificate in Active Directory: ON
    • Do not automatically re-enroll if a duplicate certificate exists in Active Directory: OFF


  4. Select the Cryptography tab and set the following values:
    • Provider category: Legacy Cryptographic Service Provider (read-only).
    • Algorithm name: Determined by CSP
    • Minimum key size: 2048

    In the section Choose which cryptographic providers can be used for requests, choose Requests must use one of the following providers. In the following list of providers, clear all options except Microsoft Strong Cryptographic Provider and set priority as the preferred provider:

    [X] Microsoft Strong Cryptographic Provider

    [ ] Microsoft Enhanced Cryptographic Provider v 1.0

    [ ] Microsoft Base Cryptographic Provider v 1.0

    [ ] Microsoft Enhanced RSA and AES Cryptographic Provider


  5. Select the Security tab and do the following:
    • Click Add.
    • Add the enrollment agent user account.
    • Allow (select) the "Read" and "Enroll" permission. Click Apply and OK.


Issue the certificate template

To issue the certificate template that you've created:

  1. Run Certificate Authority again and right click on Certificate Templates, select new and click on Certificate Template to Issue.
  2. Select the certificate template you've created in the previous steps (i.e. Prls Enrollment Agent) and click OK.
  3. The certificate template should appear in the Certificate Templates list.
Was this topic helpful?