Setting up Smart Card Login for Enroll on Behalf of


Creating a Smart Card Login Template for Enrolling on Behalf of Other Users

In order for administrators and privileged help desk users to enroll YubiKeys for other users, the CA must be set up to do so. This section provides instructions on setting up a CA to support an Enrollment Agent to allow for the Enroll on Behalf functionality.

To create an enrollment agent enabled smart card certificate template

  1. Right-click the Windows Start button and select Run.

  2. Type certtmpl.msc and press Enter.

  3. Click Certificate Templates, locate and right-click Smartcard Logon, and select Duplicate Template.

  4. Select the General tab, and make the following changes, as needed:

    • For Template display name / Template name, we recommend that you choose a short name without spaces such as YubiKey or YubicoSC.

    • For Validity period, ensure the timeframe you specify does not exceed the restrictions for your Certification Authority.

    • Optionally, to prevent users from re-enrolling multiple certificates without Administrator approval:

      • Select the option Publish certificate in Active Directory.

      • Select the option Do not automatically reenoll if a duplicate certificate exists in Active Directory.

  1. Select the Compatibility tab, and make the following changes as needed:

    • Select the operating system where the Certification Authority resides.

    • For Certificate recipient select the oldest Windows operating system in your domain environment.

  1. Select the Request Handling tab, and make the following changes as needed:

    • For Purpose, select Signature and encryption.

    • Ensure the option to Include symmetric algorithms allowed by the subject is selected.

    • Ensure the option to Renew with the same key is not selected. This option may be disabled if Windows 7 and below are included in the Compatibility settings.

      • Note: If the Renew with the same key option is selected, automatic renewal of certificates will fail.

    • Ensure the option For automatic renewal of smart card certificates, use the existing key if a new key cannot be created is selected.

    • Ensure this option to Prompt the user during enrollment is checked.

  1. On the Cryptography tab, make the following changes, as needed:

    • For Provider category, click the arrow and select Key Storage Provider from the dropdown.

    • For Algorithm name, select either RSA, ECDH_P256, or ECDH_P384 from the list displayed. 

      • Note: ECDH_P521 is not supported.

      • Note that if an ECDH algorithm is selected, the client Windows machines need to have Elliptic Curve Cryptography (ECC) Certificate Login support added using Group Policy or by editing the registry. See the following section for instructions.

    • For Minimum key size, if you selected RSA in the previous step, enter 2048. If you selected ECDH_P256 or ECDH_P384 in the previous step, this field is automatically populated. 

    • Select the option for Requests must use one of the following providers:.

    • Under Providers, select Microsoft Smart Card Key Storage Provider.

    • Click the arrow for Request hash and select SHA256 from the list displayed.

  1. On the Security tab, make the following changes, as needed: 

    • For Group or user names: Confirm Authenticated Users is listed. If is not, click Add, enter the name of the group, and then click OK.

    • For Permissions for Authenticated Users, be sure the option for Read is checked.

    • For any administrator, group, or user who needs to create certificates for others, be sure the option for Read and Enroll is checked.

  1. On the Issuance Requirements tab, make the following changes, as needed:

    • Be sure the option is selected for This number of authorized signatures, and enter 1.

    • For Policy type required in signature, select Application policy.

    • For Application policy, select Certificate Request Agent.

    • For Require the following for reenrollment:

      • Same criteria as for enrollment: This will force the user to again visit the enrollment agent for renewal of the smart card certificate.

      • Valid Existing certificate: This will allow users to renew their certificates using the existing certificate by proving they have a valid certificate.

        • Note: This setting is a policy choice. If you prefer users meet face-to-face with an Enrollment agent to renew their certificate, choose Same criteria as for enrollment. If you prefer to empower users to renew their own certificate without enrollment agent assistance, choose Valid existing certificate.
  2. Click OK to close the template properties window.

  3. Close the Certificate Templates MMC Snap-in.

To add the template to the Certification Authority

  1. Right-click the Windows Start button and select Run.

  2. Type certsrv.msc and press Enter.

  3. Click Certification Authority, double-click your server, double-click Certificate Templates, right-click on the white space within the center pane, select New, and then select Certificate Template to Issue.

  4. Locate and select the enroll-on-behalf-of template you just created, and then click OK.

  5. Allow Active Directory to update. Depending on environment, it could take up to eight hours for the template to publish to Active Directory.

To specify the permissions for the enrollment agents and publish the certificate template

  1. Right-click the Windows Start button and select Run.

  2. Type certtmpl.msc and press Enter.

  3. Right-click the Enrollment Agent template, and then click Properties.

  4. On the Security tab, make sure the user or group designated as an Enrollment Agent has Read and Enroll permissions on the template, and then click OK.

  5. In the Certificate Authority window, right-click the Certificate Templates folder, and select New, and then select Certificate Template to Issue.

  6. Select the Enrollment Agent template, and click OK. The Enrollment Agent certificate automatically saves to the user's default file save location.

To create an enrollment agent

  1. Right-click the Windows Start button and select Run.

  2. Type certmgr.msc and press Enter.

  3. Under Console Root, click to expand Certificates - Current User.

  4. Click to expand Personal.

  5. Click to select Certificates.

  6. Right-click on the white space within the center pane, select All Tasks, and then select Request New Certificate…

  7. Click Next.

  8. Select Active Directory Enrollment Policy and then click Next

  9. Locate and select the Enrollment Agent template, and then click Enroll.

To use an enrollment agent to “Enroll on Behalf of”

  1. Right-click the Windows Start button and select Run.

  2. Type certmgr.msc and press Enter.

  3. Under Console Root, click to expand Certificates - Current User.

  4. Click to expand Personal.

  5. Right-click on the white space within the right pane, select All Tasks, select Advanced Operations, and then select Enroll on Behalf of.

  6. Select Active Directory Enrollment Policy and then click Next

  7. Click Browse, choose your enrollment agent certificate from the Security Pop-up screen, and then click Next.

  8. Locate and select the smart card template you created for enroll on behalf of, and then click Next.

  9. Click Browse, select the user you want to enroll, and then click OK.

  10. In the User name or Alias field, verify you have the correct user, and then click Enroll.

  11. Enter the PIN for the Smart Card and then click OK. The YubiKey with be loaded with a certificate for the selected user. It is recommended that users change their PIN once the certificate is loaded.

Creating a Private Key exportable Smart Card Login Template 

In order for administrators and privileged help desk users to enroll YubiKeys for other users, the CA must be set up to do so. This section provides instructions on setting up a CA to allow the private key to be to exported for the creation of PFX files with the Enroll on Behalf functionality.

To create a private key exportable smart card certificate template

  1. Right-click the Windows Start button and select Run.

  2. Type certtmpl.msc and press Enter.

  3. Click Certificate Templates, locate and right-click Smartcard Logon, and select Duplicate Template.

  4. Select the General tab, and make the following changes, as needed:

    • For Template display name / Template name, we recommend that you choose a short name without spaces such as YubiKey or YubicoSC.

    • For Validity period, ensure the timeframe you specify does not exceed the restrictions for your Certification Authority.

    • Ensure the option to Publish certificate in Active Directory is selected. 

  1. Select the Compatibility tab, and make the following changes as needed:

    • Select the operating system where the Certification Authority resides.

    • For Certificate recipient select the oldest Windows operating system in your domain environment.

  1. Select the Request Handling tab, and make the following changes as needed:

    • For Purpose, select Signature and encryption.

    • Ensure the option to Include symmetric algorithms allowed by the subject is selected.

    • Ensure the option to Renew with the same key is selected. This option may be disabled if Windows 7 and below are included in the Compatibility settings.

    • Ensure the option to Allow Private Key to be exported is selected.
    • Ensure the option For automatic renewal of smart card certificates, use the existing key if a new key cannot be created is selected.

    • Ensure this option to Prompt the user during enrollment is checked.

  1. On the Cryptography tab, make the following changes, as needed:

    • For Provider category, click the arrow and select Key Storage Provider from the dropdown.

    • For Algorithm name, select either RSA, ECDH_P256, or ECDH_P384 from the list displayed. 

      • Note: ECDH_P521 is not supported.

      • Note that if an ECDH algorithm is selected, the client Windows machines need to have Elliptic Curve Cryptography (ECC) Certificate Login support added using Group Policy or by editing the registry. See the following section for instructions.

    • For Minimum key size, if you selected RSA in the previous step, enter 2048. If you selected ECDH_P256 or ECDH_P384 in the previous step, this field is automatically populated. 

    • Select the option for Requests must use one of the following providers:.

    • Under Providers, select Microsoft Software Key Storage Provider.

    • Click the arrow for Request hash and select SHA256 from the list displayed.

  1. On the Security tab, make the following changes, as needed: 

    • For Group or user names: Confirm Authenticated Users is listed. If is not, click Add, enter the name of the group, and then click OK.

    • For Permissions for Authenticated Users, be sure the option for Read is checked.

    • For any administrator, group, or user who needs to create certificates for others, be sure the option for Read and Enroll is checked.

  1. On the Issuance Requirements tab, make the following changes, as needed:

    • Be sure the option is selected for This number of authorized signatures, and enter 1.

    • For Policy type required in signature, select Application policy.

    • For Application policy, select Certificate Request Agent.

    • For Require the following for reenrollment:

      • Same criteria as for enrollment: This will force the user to again visit the enrollment agent for renewal of the smart card certificate.

      • Valid Existing certificate: This will allow users to renew their certificates using the existing certificate by proving they have a valid certificate.

        • Note: This setting is a policy choice. If you prefer users meet face-to-face with an Enrollment agent to renew their certificate, choose Same criteria as for enrollment. If you prefer to empower users to renew their own certificate without enrollment agent assistance, choose Valid existing certificate.
  2. Click OK to close the template properties window.

  3. Close the Certificate Templates MMC Snap-in.

To add the template to the Certification Authority

  1. Right-click the Windows Start button and select Run.

  2. Type certsrv.msc and press Enter.

  3. Click Certification Authority, double-click your server, double-click Certificate Templates, right-click on the white space within the center pane, select New, and then select Certificate Template to Issue.

  4. Locate and select the private key exportable template you just created, and then click OK.

  5. Allow Active Directory to update. Depending on environment, it could take up to eight hours for the template to publish to Active Directory.

To specify the permissions for the enrollment agents and publish the certificate template

  1. Right-click the Windows Start button and select Run.

  2. Type certtmpl.msc and press Enter.

  3. Right-click the Private key exportable template, and then click Properties.

  4. On the Security tab, make sure the user or group designated as an Enrollment Agent has Read and Enroll permissions on the template, and then click OK.

  5. In the Certificate Authority window, right-click the Certificate Templates folder, and select New, and then select Certificate Template to Issue.

  6. Select the Enrollment Agent template, and click OK. The Enrollment Agent certificate automatically saves to the user's default file save location.

Next: Smart Card Deployment: Manually Importing User Certificates