The FortiToken PKI Manager will need to be installed on the CA Server for the “FEITIAN CSP For Fortinet V1.0” to be present on the server as an applicable CSP. This CSP is only for 2003 Certificate Templates and does not work on later version templates. (The PKI Manager may also be installed on an Enrollment Machine to facilitate Certificate Management)
To facilitate and secure the issuance of User Certificates to SmartCards, an Enrollment Agent should be used. The Enrollment Agent will ensure that only one user account has permissions to enroll in the SmartCard Certificate as well as make it easier and faster as it will allow the user to Enroll Certificates on Behalf of other users. In this document, the Enrollment Agent will be referred to as scuser.
This part has two major steps, creating the Enrollment Agent template as well as Enrolling the user with the template.
While it is possible to use the built-in SmartCard Logon Certificate, it defaults to a Microsoft CSP and will need to be manually changed to “FEITIAN CSP For Fortinet V1.0” each time a new batch of Certificates are needed. Creating a duplicate template will eliminate this need as we can hard set in the template which CSP to use. NOTE: The CSP “FEITIAN CSP For Fortinet V1.0” will not appear in the list unless FortiToken PKI Manager is installed on the Active Directory Certificate Services server.
This last step is for using the newly created Enrollment Agent on the server or a designated Enrollment Machine to request and sign Certificates directly onto the FortiToken-300