I have one WinServer 2008 Domain controller and a CA server on it. I log in with the Administrator account and want to request a certificate "on behalf" of a user of my DC.
for doing that, at first I duplicated these certificate templates:
- smart login
- smart user
- enrolment agent
I changed configuration and permission for new templates so that Administrator account can read, write and enrol for these templates.
After creating these new templates and assigning permissions and configuration, from mmc and certificate snap-in, for user account certificates, and for "Personal" section, we requested a new certificate for Administrator account to make it an enrollment agent as shown below:
then it is generated with no problem and we want to request a certificate on behalf of a user with this new certificate. But, in "Select enrolment agent certificate" and when we click on "Browse" button, we have a problem because there is no certificate to select, as shown below:
there is no certificate available to choose
I read a lot of documents online but I did not find the reason to solve this problem!
You need an enrollment agent certificate in the local user store (certmgr.msc)/machine store (certlm.msc) to request on behalf of. This is done by setting the signature count on the template.
If the signature count is not 0 you cannot enroll - because you first need an enrollment agent certificate...