0
down vote
favorite
I have one WinServer 2008 Domain controller and a CA server on it. I login with Administrator account and want to request a certificate "on behalf" of a user of my DC.
for doing that, at first i duplicated these certificate templates:
smart logon
smart user
enrollment agent
I changed configuration and permission for new templates so that Administrator account can read, write and enroll for these templates.
After creating these new templates and assigning permissions and configuration, from mmc and certificate snap-in, for user account certificates, and for "Personal" section, we requested a new certificate for Administrator account to make it an enrollment agent as shown below:
then it be generated with no problem and we want to request a certificate on behalf of a user with this new certificate. But, in "Select enrollment agent certificate" and when we click on "Browse" button, we have a problem because there is no certificate to select, as shown below: there is no certificate available to choose
enter image description here
i read a lot of documents online but i did not found the resson to solve this problem!
Best Answer
Default setting on Enrollment Agent template requires CA manager approval. It appears that you didn't read status message when enrolled the certificate that states about manual certificate approval.
Open Certification Authority MMC snap-in, expand Pending Requests folder. You should see pending request for enrollment agent. Finish the request by approving it and running the following command on a computer where you requested Enrollment Agent certifiicate:
this command will trigger autoenrollment and autoenrollment will retrieve and install issued enrollment agent certificate.