PDA

View Full Version : Requesting a certificate for another user

Franc v/d Westelaken
Hi,

I've installed a Windows 2003 CA in Enterprise Mode. Is it possible as
an administrator to request a certificate on behalf of another user ?
I don't want to burden a user with certificate request. I want to
request a certificate for that user and distribute it.

Is this possible ?

Franc.
David Cross [MS]
technically yes, we support this for smartcards in the web enrollment pages.
if you wanted to do this for any cert type, it would require some
customization of the web pages and some custom code (VBscript). Here are
some c code samples:

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dncapi/html/certenrollment.asp

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"Franc v/d Westelaken" wrote in message
news:408e3245.3100000@msnews.microsoft.com...
> Hi,
>
> I've installed a Windows 2003 CA in Enterprise Mode. Is it possible as
> an administrator to request a certificate on behalf of another user ?
> I don't want to burden a user with certificate request. I want to
> request a certificate for that user and distribute it.
>
> Is this possible ?
>
> Franc.


Sasa

As for the possibility to request a certificate on behalf
of another user, there is a template called enrollment
agent, that should be configured for the purpose. This one
is ussualy used for smart card deployments, but is
intended for a signature purpose in general.

You could also check autoenrollment option in GPO user
settings. Thus you will take the burden of the
administrator as well.

All you need is to configure Certificate Templates .msc
for the certificates you want users to automatically
enroll for, and also, don't forget to configure your group
policy.

Regards,

S


>-----Original Message-----
>Hi,
>
>I've installed a Windows 2003 CA in Enterprise Mode. Is
it possible as
>an administrator to request a certificate on behalf of
another user ?
>I don't want to burden a user with certificate request. I
want to
>request a certificate for that user and distribute it.
>
>Is this possible ?
>
>Franc.
>.
>
Franc v/d Westelaken
Hi,

I though about auto entrollment too, but as far as I can see you need
Windows 2003 Enterprise Edition for that, we are running the Standard
Edition...

When I use the Enrollment Agent, can I use that one without any
modifications for generating a User certificate ? I need such a
certificate for our users to authenticate with our intranet. When
connecting from outside our network.

Franc.

"Sasa" wrote:

>
>As for the possibility to request a certificate on behalf
>of another user, there is a template called enrollment
>agent, that should be configured for the purpose. This one
>is ussualy used for smart card deployments, but is
>intended for a signature purpose in general.
>
>You could also check autoenrollment option in GPO user
>settings. Thus you will take the burden of the
>administrator as well.
>
>All you need is to configure Certificate Templates .msc
>for the certificates you want users to automatically
>enroll for, and also, don't forget to configure your group
>policy.
>
>Regards,
>
>S