Verify Enroll on behalf of for Windows

This article is valid for CM 8.5 and later.

This article describes how to verify Enroll on behalf of (EOBO) for Windows over CMC or PKCS#7.

Prerequisites

See Enroll on behalf of in WinEP .

Step-by-step instruction

For CMC:

Create CMC file

Create a file called eobo-cmc.inf with the following contents:
```
[NewRequest]
RequestType=cmc
RequesterName=<domain>\<username>

[RequestAttributes]
CertificateTemplate=User
```
a. Replace <domain> with the domain for which to generate the request.
b. Replace <username> with the username for which to generate the request.

Run CMC commands

Run the following commands:

Command 1
```
> certreq.exe -new -cert "Enrollment Agent Signer" eobo-cmc.inf mycmc.req
```
Command 2
```
> certreq.exe -submit mycmc.req
```
The second command returns a certificate for the requested user.

For PKCS#7:

Create PKCS#7 file

Create a file called eobo-pkcs7.inf with the following contents:
```
[NewRequest]
RequestType=pkcs7
RequesterName=<domain>\<username>

[RequestAttributes]
CertificateTemplate=User
```
a. Replace <domain> with the domain for which to generate the request.
b. Replace <username> with the username for which to generate the request.

Run PKCS#7 commands

Run the following commands:

Command 1
```
> certreq.exe -new -cert "Enrollment Agent Signer" eobo-pkcs7.inf mypkcs7.req
```
Command 2
```
> certreq.exe -submit mypkcs7.req
```
The second command returns a certificate for the requested user.

For more information about PKCS#7, see https://docs.microsoft.com/en-us/windows/win32/seccertenroll/pkcs--7-eobo-request .