You can create the RA enrollment agent credentials in the following file formats.
- PKCS#12 (Personal Information Exchange Syntax Standard).
- JKS (Java KeyStore).
- JCEKS (Java Cryptography Extension KeyStore).
- PFX (Personal Information Exchange).
See the example below for how to create them in PKCS#12.
To create RA enrollment agent credentials in PKCS#12
- In the Microsoft CA server machine, run MMC.
- Under the Certificate Authority node, right-click Certificate Template, and select Manage.
- Right-click Enrollment Agent and select Duplicate Template.
- Configure the following settings in each tab of the Properties of the New Template dialog.
- Under the Certificate Authority node, right-click Certificate Template and select New >Certificate Template to issue.
- Select the newly created template.
- Create a user in Active Directory.
- Under the Personal node, right-click Certificates and select Tasks > Advanced Operations > Enroll On Behalf Of.
- Follow the wizard instructions. When prompted, select the newly created user.
- Right-click the issued certificate and select Export.
- Follow the wizard instructions. In the Export Private Key dialog, select Yes, export the private key.
General
Click this tab and write a name for the new template in the Template display name field.
Request Handling
Click this tab and check the Allow private key to be exported box.
Issuance Requirements
Click this tab and set the following values.
Parameter | Value |
|---|---|
This number of authorized signatures | 1 |
Policy type required in signature | Application policy |
Application Policy | Certificate Request Agent |
Security
Click this tab and assign the following permissions to the Domain Admins user group.
Permissions for Domain Admins | Allow | Deny |
|---|---|---|
Full Control |
| |
Read |
| |
Write |
| |
Enroll |
| |
Autoenroll |
|
For example:
