You need an Enrollment agent to publish a certificate in Active Directory.
Create an enrollment agent PKCS12 store
1. On the Microsoft CA machine, go to Tools and select Certification Authority.
2. Click your certification authority to expand the root folder.
3. Right-click Certificate Templates, and then select New > Certificate Template to issue. The Enable Certificates Template dialog box appears.
4. If the Enrollment Agent template has not already been published, select Enrollment Agent and click OK.
Note: The Enrollment Agent is not available in the list if it has already been published.
5. Open the Microsoft Management Console to add certificates snap-in, as follows:
a. To open the Microsoft Management Console, right-click the Start menu, click Run, enter mmc in the Open field, and click OK.
b. Go to File > Add/Remove Snap In.
c. Click Certificates and select Add. The Certificate snap-in dialog box appears.
d. Select My user account.
e. Click Finish and click OK.
6. Click Certificates > Current User.
7. Right-click Personal.
8. Select All Tasks > Request New Certificate. The Certificate Enrollment wizard opens.
9. Click Next. The Select Certificate Enrollment Policy page appears.
10. Click Next. The Request Certificates page appears.
11. Select Enrollment Agent and click Enroll. The Certificates Installation Results page appears.
12. Click Finish.
13. Go to Certification Authority.
14. Select your certification authority to expand the root folder.
15. Right-click Certificate Templates, and then select Manage. The Certificate Templates Console appears.
16. Right-click the Enrollment Agent and select Duplicate Template. The Properties of New Template dialog box appears.
17. In the Compatibility Settings, select the following:
a. From the Certificate Authority drop-down list, select
– Windows 8.1/Windows Server 2012R2 if you are running on a 2012R2 server
-or-
– Windows 10/Windows Server 2016 if you are running on Windows Server 2016 or later
b. From the Certificate Recipient drop-down list, select
– Windows Server 2012R2 if you are running on a 2012R2 server
-or-
– Windows Server 2016 if you are running on Windows Server 2016 or later
18. Click the General tab and enter a name in the Template display name field.
19. Click the Request Handling tab and select Allow private key to be exported.
20. Click the Issuance Requirements tab and do the following:
a. Select The number of authorized signatures and enter 1 in the text box.
b. From the Policy type required in signature drop-down list, select Application policy.
c. From the Application policy drop-down list, select Certificate Request Agent.
21. Click the Security tab and under Permissions for Authenticated Users select to allow Read, Write, and Enroll.
22. Click OK.
23. Go to Certification Authority, right-click Certificate Templates and select New > Certificate Template to Issue.
24. Select the Enrollment Agent template you just created and click OK.
25. Create a new user in Active Directory, as follows:
a. Go to Start > Windows Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers page appears.
b. Right-click Users and select New > User. The New Object > User dialog box appears.
c. Enter a First name, Last name, and User logon name and then click Next.
d. Deselect User must change password at next logon.
e. Enter and confirm a password.
f. Click Next and then click Finish.
26. Open the Microsoft Management Console to add certificates snap-ins.
27. Click Certificates > Current User.
28. Right-click Personal and select All Tasks > Advanced Operations > Enroll on Behalf Of. The Certificate Enrollment Wizard opens.
29. Click Next. The Select Certificate Enrollment Policy page appears.
30. Click Next. The Enrollment Agent Certificate page appears.
31. Click Next and then click Browse. The Select a Certificate dialog box appears.
32. Select the newly created Enrollment Agent certificate.
33. Click OK to select the certificate and close the dialog box. A certificate name appears in the Signing Certificate field.
34. Click Next. The Request Certificates page appears.
35. Select your Enrollment Agent certificate template that you created earlier in this procedure and click Next. The Select a user page appears.
36. Enter the User name or alias that you created in step 18.
Alternately, you can click Browse to display the Select User dialog box and search for the user.
37. Click Enroll and the click Close.
38. Select Certificates > Current User.
39. Double-click Personal and then double-click Certificates.
40. Right-click your user Enrollment Agent certificate and select All Tasks > Export. The Certificate Export Wizard opens.
Note: You may need to refresh your display to see the certificate. You can identify the certificate by locating the certificate in the Issued to column that matches the user created in step 18.
41. Click Next. The Export Private Key page appears.
42. Select Yes, export the private key and click Next.
43. In the Export File Format page, do the following:
a. Select Personal Information Exchange - PKCS #12 (PFX).
b. Select Include all certificates in the certificate path if possible.
c. Click Next. The Security page appears.
44. In the Security page, do the following:
a. Select Password.
b. Enter and confirm a certificate password.
c. Click Next. The File to Export page appears.
45. In the File to Export page, enter a name for your certificate, for example, enroll.
Tip: Click Browse to browse to the location where you want to save your certificate, enter a File name and click Save.
46. Click Next and then click Finish.
47. Click OK on the Export successful confirmation prompt.
48. Copy and save this file. You need this file to Configure a Microsoft CA in IDaaS.