An enrollment agent must hold a certificate that allows him or her to request a smart card certificate on behalf of another. This is made possible by including the Certificate Request Agent OID (126.96.36.199.4.1.3188.8.131.52) in the Enhanced Key Usage or Application Policies extension of the certificate.
Warning You cannot prevent a certificate holder with the Certificate Request Agent OID from requesting certificates for specific users in Active Directory. The holder can request a certificate for any user in Active Directory, including members of the Enterprise Admins or Schema Admins groups.
The Enrollment Agent certificate template is the default certificate template that allows a user to act as an enrollment agent. Some organizations choose to create a version 2 certificate template, based on the Enrollment Agent certificate template to enable the following modifications:
■ Require certificate manager approval for issuance.
■ Add a certificate policy to describe the issuance method of the Enrollment Agent certificate, which increases the assurance level of the smart card certificate.
Was this article helpful?