Hi all,
I am building a three-tier PKI - offline root CA, Intermediate CA and Issuing CA.
Currently, I have created a custom certificate template for the Issuing CA and checked the issuance requirements checkbox titled "CA certificate manager approval". I understand that when the Issuing CA enrolls from the Intermediate CA, that request sits in the Pending Requests of the Intermediate CA until a manager approves that request.
I'd like to go one step further and require that the manager supply a smart card/signature before approving the request. How do I go about doing that? I see that there is another checkbox titled "This number of authorized signatures" where I have to add some issuance policies but it is at this point that I get confused about what to do.
Can anyone provide guidance on what I need to do to achieve what I want?
Thanks!