Hasain Alshakarti

Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization, including all domain admins. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies for these certificates.

Permitting an enrollment agent to enroll only a certain type of certificate to a certain group of users was not possible before Windows 2008. In Windows Server 2003 Enterprise Edition the enterprise CA does not provide any configurable means to control enrollment agents except by enforcing the application policy extension of the enrollment agent certificate, which verifies that the credentials grant the ability to enroll on behalf of other users, including the domain admins.

In Windows Server 2008 the PKI architecture of an enterprise has the possibility to restrict enrollment agents so that enrollment is only possible for a certain certificate template and a certain group of users. By providing a technical possibility to limit the scope of enrollment agents, an enterprise can is given a better tool to control the delegation of trust and the risk associated with granting that trust.

On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of.

Note: The feature cannot constrain an enrollment agent based on a certain Active Directory organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows Server® 2008 Standard-based CA.

By using the Certificate Services snap-in, you can create a permissions list for each enrollment agent to configure which users or security groups an enrollment agent can enroll on behalf of for each certificate template.

To enroll for a smart card certificate on behalf of someone, the user must have an enrollment agent certificate. The smart card enrollment agent can create smart cards on behalf of any user, including an enterprise administrator.

Follow the steps below to create an enrollment agent trusted to enroll for a smart card certificate on behalf of other users:

Create an Enrollment Agent enabled Smart Card Certificate Template:

1. Open the Certificate Template Management console
2. Right click the Smartcard User or Smartcard Logon template and choose Duplicate Template
   Note: If you are using a Windows 2008 CA or above you will be prompted to select the minimum CA for your new template. Select the 2003 Enterprise option.
3. Provide a name for the smart card template and set the validity period that you desire for the environment
4. On Request Handling tab, do the following
• Select Signature and smartcard logon under Purpose
• Under CSPs, select the CSP that should be used for your smart cards
5. On Issuance Requirements tab, do the following
• Select The number of authorized signatures: and set it to 1
• Under Policy type required in signature, select Application Policy
• Under Application Policy select Certificate request Agent
6. On the Security tab, make sure the user or group that is designated as enrollment agent has Read and Enroll permissions on the template
7. Click Apply and then OK.
8. Close Certificate Templates console
9. In the Certificate Authority snap-in, right click Certificate Templates folder and select New
10. Select “Certificate Template to Issue”
11. Select the new template and click Ok

Specify/adjust the permissions of the Enrollment Agents and publish the Enrollment Agent certifiacte template:

1. Open the Certificate Template Management console
2. Right-click the EnrollmentAgent template, and then click Properties
3. On the Security tab, make sure the user or group designated as an enrollment agent has Read and Enroll permissions on the template, and then click OK
4. In the Certificate Authority snap-in, right click Certificate Templates folder and select New
5. Select “Certificate Template to Issue”
6. Select the Enrollment Agent template and click Ok

Create a smart card certificate for a user using the new smart card template and the enrollment agent:

1. Log on to system that has a smart card reader with a user that has an Enrollment Agent certificate
2. Open certmgr.msc
3. Expand Personal, and then right-click on the Certificates folder
4. Select All Tasks > Advanced Operations > Enroll on behalf of from the context menu
5. Click Next
6. When prompted, browse to the signing certificate for the enrollment agent. Click Next
7. Select the certificate template you created, and click Next
8. Browse and select the user name (This will be the subject of the smartcard certificate) Click Enroll

CMC certificate requests are normally used in combination with EOBO enrollment (Enroll On Behalf Of) scenarios where additional enrollment agent signatures are required by the certification authority to accept and process the certificate request.

Generating and signing the CMC certificate request can either be done using the certmgr.msc MMC snap-in or scripted using the certreq.exe tool provided in the Windows platform. The procedure using certreq to generate and sign the CMC certificate request is defined by the following steps

1. Create a certificate request inf file describing the request, below you find a sample inf file for EOBO request

[Version]
Signature= “$Windows NT$”

[NewRequest]
RequesterName = Crisco0\Administrator
RequestType = CMC

[RequestAttributes]
CertificateTemplate = EOBO_Template

2. Generate the initial self signed CMC certficate request using the command:

certreq.exe -new certificate_request.inf certificate_request.req

3. Sign the initial self signed CMC certficate request with the enrollment agent certificate using the command:

certreq.exe -sign certificate_request.req signed_certificate.req

4. Submit the agent signed CMC request to the enterprise CA and receive the certificate using the command:

certreq.exe -submit signed_certificate.req new_certificate.cer

The procedure described above works as expected until you try it in Windows 2008 R2 SP1 (I have not had the chans to test other versions yet) and you will get an error message at step 3 failing the agent signing.

What happens in step 3 is that the certreq tools will try to read the referenced certificate template from Active Directory and to figure out the signing requirements and it simply fails with the error message:

Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247)

After struggling with my request inf file and certificate template with the same error I decided to perform the agent signing using other tools, after some research I found this very interesting MSDN article http://msdn.microsoft.com/en-us/library/ms867026.aspx  about Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI. The article looked nice with provided samples but I wanted something more simple so I ended up in this article http://technet.microsoft.com/en-us/library/ff182315(WS.10).aspx about “Create Enroll on Behalf of Another User Request”. Usingthe code from the “Create Enroll on Behalf of Another User Request” article I created the cmcSigner tool and the CMC request could be signed and the certificate issued without errors.

What if this version certreq.exe has some issue? To figure out that I decided to test the certreq -sign operation with an older version of certreq.exe so I grabbed the Windows 2003 Admin Tool Pack and extracted the certreq.exe and tested the signing step with no errors!

Conclusion: certreq.exe in some later versions has a problem performing a certificate signing operation.

Solution: use another version of certreq.exe or another tool like the cmcSigner tool

  cmcSigner Tool download:(258.8 KiB, 3,535)