Hi, I need to be able to request a certificate from a user certificate template I've created for another AD User. For testing purpose I'm logged as my domain administrator and if I'm trying to execute the following Powershell script but it's not working. If I remove the requestername parameter everything is "ok" except that the certificate has been issued to the logged user which is administrator. Thanks for helping Here's the error : Certificate not issued (Denied) Error Verifying Request Signature or Signing Certificat e None of the signers of the cryptographic message or certificate trust list is truste d. 0x8009202b (-2146885589) Here's my script : [string] $TemplateName = "CertTemplate" [string] $CAName = "MyRootCA" [string] $CertPath = "C:\TEST" [string] $UserName = "test7" write-host write-host "Generating Request File" remove-item $CertPath\usercert.inf -ErrorAction silentlycontinue remove-item $CertPath\usercert.req -ErrorAction silentlycontinue add-content $CertPath\usercert.inf "[NewRequest]`r Subject = `"CN=$Username`"`r Exportable = TRUE Requestername = testlocal\test7 RequestType = CMC`r [RequestAttributes]`r CertificateTemplate = `"$TemplateName`"`r SAN = `"Email=$Email`"" certreq -new $CertPath\usercert.inf $CertPath\usercert.req write-host "Sending Certificate Request" certreq -submit -config "$CAName" $CertPath\usercert.req $CertPath\$Username.cer write-host "Installing Certificate" certreq -accept $CertPath\$Username.cer

Hello, for detailed CA questions the security forum is the better place: http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

On Wed, 23 Feb 2011 17:03:51 +0000, Yveslap wrote: I need to be able to?request a certificate from a user certificate template I've created for another AD User. In order to request a certificate on behalf of another user the following conditions must be met: 1. The user making the request must have access to a certificate and its corresponding private key that contains the Certificate Request Agent purpose in the EKU (like the predefined Enrollment Agent template). 2. The template against which the request is to be issued must be configured to require at least 1 authorized signature with an application policy of Certificate Request Agent (on the Issuance Requirements tab). 3. The request must be signed with the certificate from step 1. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca One picture is worth 128K words.

Hi Paul, Ok I've configured the enrollment agent on the user that I want my script to run for the testing purpose and I've set the issuance req to 1 signature. If I use the wizard I'm able to start the request on behalf of process, specify my agent certificate, the user for who I want to enroll a certificate and then it's asking me for a smartcard... Am I able to specify another target like a local folder to save the certificate for testing purpose ??? And the real question is in my script how and where do I specify to use my agent certificate for the enroll on behalf ? Thanks for helping