I've been tasking with learning how to manually request User certs on behalf of new users. I'm an enterprise admin and I have Enrollment Agent rights to our CA, an Enrollment Agent in my personal cert store and have activated "Enroll for Certificates on Behalf of Other Users. In addition, I have Read and Enroll permission on the cert template we're using. To request a cert for another user, I'm using the RequesterName tag in the RequestPolicy.inf I'm able to make a CertificateRequest with Certreq.exe -new RequestPolicy.inf CertificateRequest.req, but I need help on the next step (assuming I'm doing this in the right order), signing the request: I understand that I need to somehow include my Enrollment Agent signature in the command line request, but I don't understand how that's done. I've seen a couple of different examples: certreq -sign inf.req inf_signed.req and from technet: certreq.exe -sign [RequestFileIn [RequestFileOut]] My question boils down to: What are these files "RequestFileIn" and "RequestFileOut" Thanks in advance!

RequestFileIn - Base64-encoded or binary input file name: PKCS10 certificate request, CMS certificate request, PKCS7 certificate renewal request, X.509 certificate to be cross-certified, or KeyGen tag format certificate request RequestFileOut - Base64-encoded output file nameJoseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

Thanks Joseph, Do you Sign the request before Submitting it, or the other way around?

Please, see the other post where you were asking a similar question: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/e4ae3bd3-695e-4a87-b23d-8b3dffc00382