Allow Subjects to Request a Certificate Based on a Template

Applies To: Windows Server 2008

Certificates can be made available to users for enrollment as users need them. This would require users to use the Certificate Request Wizard to request a certificate based on a certificate template. Before they can use the Certificate Request Wizard to obtain a certificate, you must enable the certificate template for these operations.

To properly configure subject enrollment, the administrator must plan the appropriate certificate template or templates to use. Several settings in the certificate template directly affect the behavior of certificate enrollment. For more information on these settings, see:

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To allow subjects to request a certificate that is based on a template

  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the Security tab, add the groups, computers, or users from which you want to allow certificate requests.

  4. In Group or user names, click one of the new objects, and then, on Permissions for ObjectName, under the Allow column, select the Read and Enroll check boxes.

  5. Repeat the previous step for each new object.

Additional references