Enrollment Agent Certificate

An enrollment agent must hold a certificate that allows him or her to request a smart card certificate on behalf of another. This is made possible by including the Certificate Request Agent OID ( in the Enhanced Key Usage or Application Policies extension of the certificate.

Warning You cannot prevent a certificate holder with the Certificate Request Agent OID from requesting certificates for specific users in Active Directory. The holder can request a certificate for any user in Active Directory, including members of the Enterprise Admins or Schema Admins groups.

The Enrollment Agent certificate template is the default certificate template that allows a user to act as an enrollment agent. Some organizations choose to create a version 2 certificate template, based on the Enrollment Agent certificate template to enable the following modifications:

■ Require certificate manager approval for issuance.

■ Add a certificate policy to describe the issuance method of the Enrollment Agent certificate, which increases the assurance level of the smart card certificate.

Was this article helpful?

0 0

Post a comment