Share via


Enroll for Certificates on Behalf of Other Clients

Applies To: Windows Server 2008

It is not always possible for users to enroll for a certificate on their own behalf. This can be the case for a user smart card certificate. By default, only domain administrators are granted permission to request a certificate on behalf of another user. However, a user other than a domain administrator can be granted permission to become an enrollment agent. A user becomes an enrollment agent by enrolling for an Enrollment Agent certificate.

Important

Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies over who has one.

Membership in the Users group and an Enrollment Agent certificate are the minimum requirements to complete this procedure. Review the details in "Additional considerations" in this topic.

To enroll for a certificate on behalf of other users

  1. Open the Certificates snap-in for a user.

  2. Confirm that you are in Logical Stores View.

  3. In the console tree, expand the Personal store, and then click Certificates.

  4. On the Action menu, point to All Tasks, select Advanced Operations, and then click Enroll on behalf of to open the Certificate Enrollment Wizard. Click Next.

  5. Browse to the Enrollment Agent certificate that you will use to sign the certificate request that you are processing. Click Next.

  6. Select the type of certificate that you want to enroll for. When you are ready to request a certificate, click Enroll.

  7. After the Certificate Renewal Wizard has successfully finished, click Close.

Additional considerations

Additional references