- Microsoft Windows 2008 Server is installed and configured as a Primary Domain Controller.
- Active Directory is configured to manage users and computers.
- DNS Server is configured with your domain name.
- Internet Information Services (IIS) is installed (to be able to request a certificate through
the Smart Card Enrollment Station.
- Microsoft Windows Certificate Services is installed and configured.
- Microsoft CA is configured with an issuance Certificate Template for smart card logon
onto the domain. It must include the following certificates:
Enrollment Agent – a certificate intended for the entity that should be able to enroll
certificates for other entities than itself. For example, when an administrator wants
to deploy smart card logon certificates for the employees in an organization, he
would require an “Enrollment Agent” certificate.
Smartcard Logon – intended for smart card logon onto the domain.
Smartcard User – an all-round certificate, intended both for smart card logon and,
for example, signing and encrypting e-mail messages and web authentication.
- Microsoft CA Registration Authority (RA) station is created with:
All the drivers required for your HID Crescendo C1150 card and smart card reader
- An Enrollment Agent Certificate configured with Microsoft Enhanced
Cryptographic Provider 1.0 or similar as the CSP.
Issuing a Smart Card using Microsoft Certificate Authority
Enroll a Smart Card for a User with Internet Explorer
- From the enrollment station, connect to the “Smart card Certificate Enrollment Station” web page of the CA.
This smart card enrollment web page can be found at http://<machine-name>/certsrv/
where the <machine-name> is the machine where you have installed the CA.
- Select Request a certificate.
- Select advanced certificate request.
- Select Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.
The Smart Card Certificate Enrollment Station window opens.
- Under Enrollment Options:
- From the Certificate Template drop-down list, choose Smartcard User.
- From the Cryptographic Service Provider drop-down list, select Microsoft Base Smart Card Crypto Provider.
- Ensure the correct Enrollment Agent certificate is selected in the Administrator Signing Certificate box.
- Select a User to Enroll by clicking Select User.
- Enter the user name in which you are enrolling a certificate in the Enter the object name to select field.
- Click Check Names to verify the entry, and then click OK.
- Verify the user’s smart card is inserted into the smart card reader.
- Click Enroll to enroll a smartcard user certificate for the user.
- Enter the PIN, and then click OK to continue.
After the certificate request has been made, the CA will sign the request and return a certificate. This certificate is automatically placed on the smart card. You might be prompted to confirm the issuance of a certificate. At the end of the smart card enrollment process, you are informed that the smart card is ready for use.
- You can verify if the certificate contains the correct personal information about the user by clicking View Certificate. You also have the opportunity to enroll a new user by clicking New User.