Create and enroll certificates for Certificate Based Authentication on mobile phones

The purpose of this step by step  article is to create user certificates with a validity period of 3 years instead of the default one year.

Since all users will visit the IT services desk to have the certificates installed on their mobile devices, we will use the “Enroll on behalf” option in ADCS 2008R2.

On my next article, we will see how to configure Forefront TMG 2010 to use Kerberos Constrained Delegation with Exchange Server 2010 SP1.

Note – not all steps are required in all organization. See what fits you best.

Logged on as the Domain Administrator, open the User certificate MMC Snap-in:

Right-click on the Personal certificate store, and choose “All tasks”, “Request new certificate”:

In the first window click ‘Next’:

Choose your enrollment policy:

In the certificate template screen choose “Enrollment Agent” and click “Enroll”:

This is what you should see:

The new certificate is in your personal certificate store and you can now enroll certificates on behalf of other users:

To assign this privilege to other users, right-click your personal certificate store, choose “All Tasks”, “Advanced Operations”, “Enroll On Behalf Of”:

Click “Next” on the first screen:

Choose your Enrollment policy:

Click “Browse” to choose the enrollment agent certificate you just created:

Choose your certificate and Click “OK”:

Click “Next”:

Choose the “Enrollment Agent” certificate template again, and click “Next”:

Click “Browse” to select the user you would like to enroll the certificate to:

Here I chose one user from the helpdesk staff:

It looks like this, now Click “enroll”:

And now you can choose whether to enroll another user or finish the operation:

Now you can see that the IT Helpdesk users 1 and 2 have also the ability to enroll certificates on behalf of users:

That’s done; let’s create the certificate template for the mobile devices:

Open your CA console, expand to “Certificate templates”, then right click it and choose “Manage”:

This will open the certificate templates snap-in. Scroll down to the User certificate template and choose “Duplicate Template”:

It will ask you which template would you like to create – I normally choose Windows Server 2008:

Once you press OK, the new certificate template is opened. Name your certificate template and change the certificate validity period. I think 3 years is more than enough:

Switch to the “Issuance Requirements” tab and change the following:

· Check the “This number of authorized signatures” box and type ‘1’ in the box.

· Make sure that the policy type required in the signature is “Application policy”.

· Change the Application policy to “Certificate Request Agent” from the drop down menu.

· Click OK to close the template.

This is just half way. You also need to start the registry editor and go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA Name>.

There, look for the value “ValidityPeriodUnits” Change it from 2 (default) to as high as you want. Note that you can only set the validity period on the template to as much as it’s set on the registry (i.e. even if you set the certificate template to 10 years and the registry is set to 3, you will only be able to extend the validity period to 3 years). This change does not affect predefined templates.

Now you can see the template in the templates list:

Go back to your CA mmc snap-in, and from “Certificate Templates”, choose “New”, “Certificate template to issue”:

Choose your new template and click OK:

You can see it under “Certificate Templates”:

Now – Let’s request a certificate on behalf of a user:

Right-click your personal certificate store, then choose “All Tasks”, “Advanced Operations”, “Enroll On Behalf Of”:

Click “Next” on the first screen:

Then, choose your Enrollment policy:

Click “Browse” to choose your enrollment agent certificate:

Choose your signing certificate and click “OK”: (Note you have more than one now)

Choose your new certificate and click “Next”:

Select the user you want to enroll the certificate to and click “Enroll”:

That’s it. Your user’s certificate is ready:

5 thoughts on “Create and enroll certificates for Certificate Based Authentication on mobile phones

  1. Hi y0av,
    I’ve just come across your article, which is basically what I want to do for our Helpdesk staff as well. However, I have a problem at the first step.

    When I right-click on the Personal certificate store, and choose “All tasks”, “Request new certificate” and click “Next”, I do not have an Enrollment Policy to select.

    I guess I need to create one, are you able to assist on how to create this?

    Thanks in advance!

    1. Hi Rho.

      Have you configured Certificate Autoenrollment?
      Follow this link (check both “Manage Certificate Enrollment Policy by Using Group Policy” and “Manage Certificate Enrollment Policy by Using the Certificates Snap-in” to see which one fits you best) to make sure you configured an enrollment policy and enabled one as your default.

      It’s usually a checkbox issue…

      Let me know how this worked for you!

  2. y0av,

    Does this mean I can use a self-signed cert for authentication for OWA users? I have been looking to do this for sometime to tighten authentication mechanisms for OWA. Having port 443 open to the world to log into is crazy, having to have a cert to authenticate makes it way easier to sleep. Is this the purpose?

    1. Hi Jack,

      The purpose of this article is to provide certifiacte-based authentication for mobile phone users via activesync.
      OWA works with certificate-based authentication, just the same.
      Microsoft published a very handy manual on how to do it here:
      You can use the same method of enrollment described in this post to enroll certifiactes to your users, by using your internal CA.

      Please update if you have any questions!


  3. One of the most well written and straight forward articles on the topic there is. That registry change was what i was missing….thanks.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.