You must create a CA Enrollment Agent (EA) before creating the RA recovery agents the RA enrollment agents.

A CA enrollment agent is self-enrolled and internal to the CA, while a RA enrollment agent is co-located with CA Gateway.

Publishing the enrollment template

If not already published, publish the enrollment agent template as explained in this section.

To publish the enrollment agent template

  1. In the Microsoft CA server machine, run MMC.
  2. Under the certificate authority name, right-click Certificate Templates.
  3. Select New > Certificate Template to issue.
  4. Select Enrollment Agent.

Creating an enrollment certificate for the CA Administrator

Create an enrollment certificate for the CA administrator user of the Microsoft CA server.

Do not export the CA administrator's enrollment key.

To create an enrollment certificate for the administrator

  1. In the Microsoft CA server machine, run MMC.
  2. Under the Personal node, right-click Certificates and select All Tasks >Request New Certificate.
  3. Follow the wizard instructions. When prompted, select the Enrollment Agent template.