After you create the PIV-PIV Authentication certificate template, you need to set the following permissions required to issue certificates with Microsoft CA:
● User permissions
– Read
– Enroll
Set Certificate Authority permissions
1. On the Microsoft CA machine, go to Start > Windows Administrative Tools > Certification Authority.
2. To set the user permissions, right-click Certificate Templates, and then select Manage. The Certificate Templates Console appears.
3. In the templates list, double-click PIV - PIV Authentication. The PIV Authentication Properties dialog appears.
4. Click the Security tab.
5. In the Group or user names list, select the name of the administrator account for the Microsoft CA host computer.
6. Under Permissions for <user account>, in the Allow column, ensure that Read and Enroll permissions are selected.
7. Click OK to save the settings and close the window.