I'm currently writing an application that administrators can use to enroll smartcard logon certificates on behalf of regular users. I have a valid certificate with the EnrollmentAgent template in my certstore, that was issued from the same CA that I enroll the smartcard certificates from. This is my code, based on the CMCOnBehalf.cpp sample (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html/certenrollment.asp)
CEnroll enroll = new CEnroll();
enroll.ProviderName = Properties.Settings.Default.CSP;
enroll.KeySpec = 1; // AT_KEYEXCHANGE
enroll.addCertTypeToRequest("SmartcardLogon");
enroll.ProviderType = 1; // PROV_RSA_FULL
enroll.GenKeyFlags = 1024 << 16;
enroll.EnableSMIMECapabilities = Convert.ToInt32(true);
enroll.SignerCertificate = Convert.ToBase64String(this.signingCertificate.RawData);
enroll.addNameValuePairToSignature("RequesterName", this.user.Account); // the user on behalf of whom the certificate is being enrolled
string certRequest = enroll.createRequest(XECR_CMC, subjectCN, CertificateUsage.SMARTCARD_LOGON);
CCertRequestClass requestClass = new CCertRequestClass();
requestClass.Submit((int)CertificateOutputFormat.Base64, certRequest, "", authority);
When trying to issue a certificate on behalf of any user of this domain, I get this error message from requestClass.GetDispositionMessage(): "None of the signers of the cryptographic message or certificate trust list is trusted 0x8009202b (-2146885589)". From this I would think that the enrollment agent certificate is not trusted, but it has been issued by the same authority and is still valid.
Is it the signer certificate that CEnroll doesn't like? If I use IEnroll4 in .cpp, I can enroll successfully.