Setting Up Agent Initiated End User Enrollment524 Netscape Certificate Management System Installation and Setup Guide • May 2002• Mail—you can mail PINs to users, for example along with their pay stubs orslips.• Personal delivery—you can arrange a secure means of delivering the passwordto the user, or ask the user to collect it from you in person.Setting Up Agent Initiated End User EnrollmentThe Registration Manager enables end users to enroll for a certificate in person bygoing to a Registration Manager agent. This method of enrollment is identified asagent-initiated-end-user enrollment, face-to-face enrollment, orin-person-certificate enrollment.The form for the agent-initiated-end-user enrollment is located here:/cert-/web-apps/ee/ra/hashDirUserEnroll.templateThe enrollment form works in conjunction with an authentication plug-in, namedHashAuth, provided for the Registration Manager. That is, the enrollment formworks only if an instance of the HashAuth authentication plug-in is enabled in theRegistration Manager’s configuration, giving administrators control in decidingwhether agents should be permitted to perform certificate enrollment for endusers.By default, the Registration Manager is enabled for the agent-initiated-end-userenrollment method—a default instance, named AgentDirEnrollment, of theHashAuth plug-in is created during Registration Manager’s installation. If youwant to turn this feature off, then you must disable or delete theAgentDirEnrollment instance.Similar to other enrollment methods, you should test this feature before askingRegistration Manager agents to start enrolling users in person. For agentoperations, you will need a valid agent certificate.Managing Authentication InstancesThis section explains how to use the CMS window to do the following:• Configuring Authentication for End-User Enrollment• Deleting an Authentication Instance• Modifying an Authentication Instance