Configure the Enrollment Agent for Microsoft CA

Follow the steps below to configure the enrollment agent for Microsoft CA.

1. Configure an enrollment agent certificate.

   1. Sign-in to the certification authority as a domain administrator or a domain user. Ensure that the domain user is a member of the Domain Admins or Enterprise Admins Group. Open the Server Manager, go to the menu option Tools, and select Certification Authority.
      
   2. Navigate to the folder Certificate Templates under the CA, right click on it and select the option Manage.
      
   3. A new window opens displaying a list of templates. Right click the Enrollment Agent template and select the option Duplicate Template.
      
   4. Click on the Compatibility tab and set the options as highlighted in the below image. By default compatibility settings support Legacy CSP. To support the key storage provider (KSP) and the latest version 4 Certificate Templates, you should check these settings.
      
   5. Set the properties for the template. Under the General tab, rename the template and select the Validity Period as required.
      
   6. Click on the Cryptography tab and select the options as highlighted in the below image:
      
   7. Under the Request Handling tab, select the Purpose as Signature. Select the option Enroll subject without requiring any user input. The option Allow private key to be exported is only required if we need to enroll the enrollment agent certificate to a different domain user other than the user mapped to the IIS application pool.
      
   8. Click on the Security tab, add the domain user (ex: camanager) who is running the IIS Application Pool for the MSCA web service.
   9. To check which domain user is running the IIS Application Pool, login to the server where the web service is deployed, and check the user by navigating to the IIS > Application Pool > .NET v4.5 Classic > Identity tab.
   10. Assign the Read and Enroll permissions, and enable Read permission to the Authenticated Users.
       
   11. Click Apply and OK to save the template after assigning the permissions. Close the window.
   12. After creating the template, you need to publish the certificate template in order to enroll the enrollment agent certificate. Go to the Certification Authority snap-in. Right click on Certificate Templates, choose the option New, and select the option Certificate Template to Issue:
       
   13. Select the newly-created template and click OK.
       
2. Enroll your enrollment agent certificate.

   In order to enroll the enrollment agent certificate, login as a domain user (e.g.: camanager) who is running the IIS Application Pool, where the MSCA Web service is deployed.

   1. Open certmgr.msc using the Run window and right click on the option Personal.
   2. Go to the option All Tasks and select the option Request New Certificate.
      The certificate Enrollment window opens. 
   3. Click Next.
      The Certificate Enrollment Policy displays.
   4. Click Next.
   5. In the Request Certificates window, check the Test Enrollment Agent certificate and click Enroll.
      
   6. Click Finish in the Results window to complete the enrollment.
   7. To view the issued certificate, navigate to Personal > Certificates.
      

   8.