1 Overview

This document is mainly about how to configure Certificate Authority at Windows Server before smart card login certificates can be requested and loaded to FIDO keys. There are five main parts:

Create a smart card login template
Publish the template in the Certification Authority
Edit Group Policy about user enrollment
Auto-enroll certificate at user 's machines
Manually enroll for current user

2 Prerequisites

A Windows Server with domain controller and certificate authority configured. In this document, Windows Server 2016 with AD CA is used.
Guest machines (could be the Windows Server itself) and available Windows accounts which have already joint in the CA 's domain. In this document a Windows 10 enterprise is used.
The FIDO product supports PIV function.
The Minidriver of EsMiniTokenSetup.exe is installed in relevant machines.

3 Set up the Certificate Templates for Enrol on behalf

3.1 Create a Smartcard Enrolment Template for Agents

To create a smartcard enrolment template, you need to run the Certificate Templates Console

Press Win+R, type "certtmpl.msc" and press Enter.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav5435424ec38a74961b32555b48b94952.png

In the Certificate Templates Console, select Certificate Templates in the left pane

Next, right-click Enrollment Agent, and select Duplicate Template.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > image-2025-1-30_17-50-50.png

First, the Compatibility tab is selected

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav6c6ce2d3de8558ff0ff0933cf3e36ccf.png

In the Certification Authority box, select the OS version of the CA server

In the Certificate recipient box, select the oldest OS version of the client machine in the domain

Next, select the General tab

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddavbe26deb8cbb4013004d15c112242928f.png

Provide the name of the template, e.g. "PIV Smartcard Enrolment Template for Agent"

Optionally, you might want to change the Validity period and Renewal period

Enable the option "Publish certificate in Active Directory"

Next, select the Request Handling

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > image-2025-1-30_16-42-16.png

Make sure that you have selected the options as highlighted above

Next, select the Cryptography tab.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav2329a8e766e02bde08ec1e23ad54346e.png

Change the Minimum key size to 2048

Select "Requests must use one of the following providers", and then in the Providers list select the Microsoft Base Cryptographic Provider v1.0.

Next, select the Security tab,

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav73bce86d20c230544be420d101cb04d3.png

Make sure that the Read and Enroll permissions are enabled for the user or group of users who will be setting up the smart cards for logon.

Click Apply, and then click OK to close the template properties window.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > image-2025-1-30_17-53-16.png

Close the Certificate Templates Console.

3.2 Adding the Template to the Certification Authority

Right-click the Windows Start button and select Run.

Type "certsrv.msc" and press Enter to launch the Certification Authority manager

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > image-2025-1-31_0-34-56.png

Double-click the name of your server, e.g. "la-DC101-CA" to expand it

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > image-2025-1-31_0-39-55.png

Right-click Certificate Templates

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > image-2025-1-31_0-40-47.png

Select New and then select Certificate Template to Issue.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav9f513eec705f914252cdd51508b4dbea.png

Find and select the newly created enrolment template, e.g. "PIV Smartcard Enrolment Template for Agent". and then click OK

3.3 Add the enrolment template to the Agent's account

Login the agent's account

Right-click the Windows Start button and select Run.

Type "certmgr.msc" and press Enter to launch the Certificate Manager

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > image-2025-1-31_1-6-53.png

Click on "Certificate \ Personal" to expand it

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > image-2025-1-31_1-8-39.png

Right click "Certificates \ Personal \ Certificates"

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > image-2025-1-31_1-11-9.png

Select "All Tasks \ Request New Certificate…"

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddava3875a69946572087edd346bfaace37e.png

Click "Next"

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav2a3a009a1b1cd593735b6a4b2fd35ca9.png

Click "Next"

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav4b00673cb71407dfaac10c8f38915d12.png

Select the newly created enrolment template, e.g. 'PIV Smartcard Enrolment Template for Agents', and click 'Enroll'

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav1a55bb813d0f622f8fda790cd12c66de.png

Click "Finish"

3.4 Create a Certificate Logon Template for target users by Agents

In order to be able to issue a smart card certificate on behalf of another user, the Smart Card User or Logon template needs to be adjusted to require the Enrolment Agent certificate for enrolment.
Duplicate and configure a Smart Card User or Logon template.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav1482d229554ec0ba1f24b650b8594196.png

Make the following changes to following changes

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddava8af89e13416cf0cffbcf8df3844ed7a.png

In Security Tab, make sure the "Read and Enroll" ability is set for the group or users who act as the Enrollment Agents to set up the other users with this certificate.
Issue the cert template.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav34f2e846e853dbef1e637a28a61e3fce.png

Enroll a Smart Card Certificate on behalf of others

1. Log in as the user that will do enrollment for others, then run certmgr.msc. Right click the Certificate – Current User / Personal / Certificate, and select "Enroll on behalf of" from All Tasks / Advanced Operations.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav53ed94ab1f5e3e07f5697fd756d2a911.png

1. Click through the "Before You Begin" screen, and on the "Certificate Enrollment" screen, click the "Browse…" button and select the enrollment agent certificate you have been issued in Step 3.1 .

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav5eecd123a0fe97a1ef1170d4329d41c7.png
Click 'OK'.

1. Note: If no Enrollment Agent certificate is available you will need to request one be issued to you.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddavaf902858856e0e556413c5969b4ca489.png

1. On the next page select the smart card enrollment certificate template, ie. PIV Smartcard Logon Template for Agents.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav9ac4927fc11240405e020d8f51eb2b79.png

1. Click Next and enter the target domain user you are going to enroll the certificate on the behalf of.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav1cb849b535b105cf83d3d5d0d543eb53.png

1. Click Next, and it asks you to insert the user's smart card if it is not already inserted. Enter the PIN.
2. If the enrollment is successful, the dialog will show the following:

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddav3d36a3bf269538531cbc54e82203cd81.png

1. After the enrollment is success, the smart card is ready for target user, and Agent can click 'Next user' to enroll for others or close windows.
2. You can see the issued smartcard is listed in Agent's personal store.

SafeKey > Enroll PIV Smartcards by Agents on behalf of Users > worddavfe4c430010e3cf595f33246cdb9e63eb.png

1. Now, the smart card sign-in is ready for end user, and user is able to login domain with the issued smartcard.