2.8 Enrollment Agent certificate

The MyID connector automatically attempts to acquire an Enrollment Agent Certificate, if it does not already exist, and place it in the Edefice certificate store. This certificate must be published and the MyID COM+ account must have enrollment privileges for it to allow MyID to manage certificates.

If you have an advanced configuration that requires the use of named credentials or an HSM, or if your enrollment agent template is not called EnrollmentAgent, you can request the EA certificate manually. See section 2.8.1, Manually requesting the Enrollment Agent certificate for details.

To check your template is configured correctly:

  1. In the MMC Snap-in for managing Certificate Templates for Microsoft CA, select properties for the EA template.
  2. On the Cryptography tab, set the Provider Category to Legacy Cryptographic Service Provider (for CSP) or Key Storage Provider (for CNG/KSP).

2.8.1 Manually requesting the Enrollment Agent certificate

  1. Request the Enrollment Agent certificate using the certificate manager snap-in.

    1. Log on to the MyID application server using the MyID COM+ user account.
    2. From the Windows Start menu, run certmgr.msc.
    3. Expand Certificates – Current User > Personal.
    4. Right-click on Personal folder, then from the pop-up menu select All Tasks > Request New Certificate.
    5. Click Next, then click Next again.
    6. Select the Enrollment Agent certificate, click Details, then click Properties.
    7. On the General tab, provide a friendly name and description as required.
    8. On the Private Key tab, change the CSP/KSP and key length as required.
    9. On the Certification Authority tab, select the issuing authority from which you want to issue the Enrollment Agent certificate, then click OK.
    10. Click Enroll.
    11. Click Finish to complete the request.

  2. Export the certificate and add it to the Edefice store.

    1. In Internet Explorer, select Internet Options.

    2. On the Content tab, click Certificates, then select the certificate you installed.

      The certificate will have the type Certificate Request Agent, for example.

    3. Click Export.
    4. Use the Certificate Export Wizard to save the file. Do not export the private key. Select the DER encoded binary X.509 (.CER) format and give the file the name my_ea.cer.
    5. Open a command prompt and navigate to the folder containing my_ea.cer.

    6. Type the following:

      certutil –addstore –user edefice my_ea.cer

      If the Edefice store does not exist, you must use the –f parameter to force it:

      certutil –addstore –f –user edefice my_ea.cer