Create a user account (say, serviceca), on behalf of which the system shall request user certificates in the Certification Authority and set the rights to work with certification authority for this account:
1. Open the Certification Authority tool, select the certification authority and switch to its Properties. 2. Click Add in the Security tab. 3. Specify the service account (serviceca) as the user. 4. Define the Issue and Manage Certificates permissions for the account and save settings by clicking ОК. 5. Switch to Certificate Templates section in the Certification Authority console tree, right-click and select the Manage item from the context menu. 6. In the Enrollement Agent template security properties, add the service account and set permissions to Read and Enroll for it. Set the similar permissions for all certificate templates to be used by the Indeed CM system. This is necessary, say, for Copy of Smartсard Logon template, which is used to issue the certificates for operating system logon with smart card.
If you have more than one certification authority in your environment, then one and the same set of privileges is to be assigned to the service account for all certification authorities.