Based on the published certificates templates, users can request certificates from the issuing CA. I have logged into an end user PC and am going to request a certificate based on the template we just created in the previous step.

Go to Run, type MMC | Add/Remove Snap-in... | Certificates, click on the Add button.

From the list, select the computer account to manage certificates for computer object. This is depended on the template. Once selected, in next window, select Local computer as the target.

Once MMC is loaded, go to the Personal container, right-click, and then follow All Tasks | Request New Certificate.

It will open a new window and click next until it reaches the request certificate window. In there, we can see the new template. Click on the checkbox to select the certificate template, and then click on link with yellow warning sign to provide additional details, which are required for the certificate:

Provide the required fields and click on OK to proceed. Most of the times, its Common name which required if its computer certificate:

Once it's done, click on Enroll to request the certificate. Then, it will automatically process the certificate request and issue the certificate. Once it's issued, it can be found under the Personal | Certificate container:

We can see a valid certificate is issued. At the same time, information about this issued certificate can be found under the issuing CA's Certification Authority MMC | Issued Certificate.

In this exercise, you learned how to set up a two-tier PKI from top to bottom. After the setup, as any other system, regular maintenance is required to keep up the good health. Also, it is important to have proper documentation about the setup, certificate templates, and procedures to issue, renew and revoke different types of certificates.