This feature builds on the autoenrollment use case by introducing a co-signer for the certificate request. In this use case, the enrollment agent creates and signs the initial certificate request. The enrollment agent then submits the signed request to the CA. The CA returns the issued certificate to the enrollment agent, who then provides the issued certificate to the end entity via an out-of-band process.
For more information, refer to the Microsoft documentation.
a. Prepare the Enrollment Agent certificate template
b. Prepare the template to issue certificates using EOBO
c. Enrollment Agent user action
d. Renew certificates issued by EOBO
There are four methods to renew an EOBO-issued certificate:
If there is no certificate that meets the criteria for the Enrollment Agent Certificate, the Confirm Certificate dialog will show No certificate available:
The following criteria apply:
For point 3 above, the revocation checks for the certificates can be verified using the following command:
The CRL information cache can be cleared and refreshed using the following commands: