Hasain Alshakarti

Anteckningarna och inspelningen från “ITProffs Live Meeting Series – PKI/ADCS” mötet den 23 feb 2012 finns at hämta här: WinSec.IT-Proffs.LiveMeeting.2012-02-23.pdf & WinSec.IT-Proffs.LiveMeeting.2012-02-23.wmv

Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization, including all domain admins. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies for these certificates.

Permitting an enrollment agent to enroll only a certain type of certificate to a certain group of users was not possible before Windows 2008. In Windows Server 2003 Enterprise Edition the enterprise CA does not provide any configurable means to control enrollment agents except by enforcing the application policy extension of the enrollment agent certificate, which verifies that the credentials grant the ability to enroll on behalf of other users, including the domain admins.

In Windows Server 2008 the PKI architecture of an enterprise has the possibility to restrict enrollment agents so that enrollment is only possible for a certain certificate template and a certain group of users. By providing a technical possibility to limit the scope of enrollment agents, an enterprise can is given a better tool to control the delegation of trust and the risk associated with granting that trust.

On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of.

Note: The feature cannot constrain an enrollment agent based on a certain Active Directory organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows Server® 2008 Standard-based CA.

By using the Certificate Services snap-in, you can create a permissions list for each enrollment agent to configure which users or security groups an enrollment agent can enroll on behalf of for each certificate template.

To enroll for a smart card certificate on behalf of someone, the user must have an enrollment agent certificate. The smart card enrollment agent can create smart cards on behalf of any user, including an enterprise administrator.

Follow the steps below to create an enrollment agent trusted to enroll for a smart card certificate on behalf of other users:

Create an Enrollment Agent enabled Smart Card Certificate Template:

1. Open the Certificate Template Management console
2. Right click the Smartcard User or Smartcard Logon template and choose Duplicate Template
   Note: If you are using a Windows 2008 CA or above you will be prompted to select the minimum CA for your new template. Select the 2003 Enterprise option.
3. Provide a name for the smart card template and set the validity period that you desire for the environment
4. On Request Handling tab, do the following
• Select Signature and smartcard logon under Purpose
• Under CSPs, select the CSP that should be used for your smart cards
5. On Issuance Requirements tab, do the following
• Select The number of authorized signatures: and set it to 1
• Under Policy type required in signature, select Application Policy
• Under Application Policy select Certificate request Agent
6. On the Security tab, make sure the user or group that is designated as enrollment agent has Read and Enroll permissions on the template
7. Click Apply and then OK.
8. Close Certificate Templates console
9. In the Certificate Authority snap-in, right click Certificate Templates folder and select New
10. Select “Certificate Template to Issue”
11. Select the new template and click Ok

Specify/adjust the permissions of the Enrollment Agents and publish the Enrollment Agent certifiacte template:

1. Open the Certificate Template Management console
2. Right-click the EnrollmentAgent template, and then click Properties
3. On the Security tab, make sure the user or group designated as an enrollment agent has Read and Enroll permissions on the template, and then click OK
4. In the Certificate Authority snap-in, right click Certificate Templates folder and select New
5. Select “Certificate Template to Issue”
6. Select the Enrollment Agent template and click Ok

Create a smart card certificate for a user using the new smart card template and the enrollment agent:

1. Log on to system that has a smart card reader with a user that has an Enrollment Agent certificate
2. Open certmgr.msc
3. Expand Personal, and then right-click on the Certificates folder
4. Select All Tasks > Advanced Operations > Enroll on behalf of from the context menu
5. Click Next
6. When prompted, browse to the signing certificate for the enrollment agent. Click Next
7. Select the certificate template you created, and click Next
8. Browse and select the user name (This will be the subject of the smartcard certificate) Click Enroll