Thursday, December 22, 2011

Installing Windows 2008 R2 Certificate Services for SmartCard Authentication - Part 1

Environment (Hardware & Software)

  1. Windows 2008 R2 Enterprise Edition Certificate Services
  2. Windows 2003 R2 Domain Controllers
  3. VMware View 5 Windows XP clients VDI clients  (Windows XP SP3)
  4. Gemalto .NET SmarCard
  5. Dell FX-100 Zero Client with Dell USB keybord and SmartCard reader
  6. HP 620 Laptop Clients (Windows XP SP3)
Installation Windows 2008 R2 Certificate Services


Start the Service Manager

Click Add Roles




















Select Active Directory Certificate Services
Click on the Next button



























Click on the Next button













Select Certification Authority, Certificates Authority Web Enrollment, Online Responder
Click on the Next button




Click on Add Required Role Services as IIS is not installed and required




Check Enterprise, Click Next




Check Root CA, click Next






Check Create a new private key, click Next




Select SHA256
Warning: Operating System below the version XP SP3 can’t use certificate signing with a SHA256 key.





Type the Common name of the CA




Enter for the validity period: 5 years


Click on the Next button




Click on the Next button





Click on the Next button

Click Next and then the installation starts

Configuration of the Certificate Services

The following certificate templates need to be published by the CA:

  1. Enrollment Agent: An enrollment agent certificate needs to be issued to any user who will request smart card certificate on behalf of another user during issuance
  2. Smart Card User: Any user issued a certificate based on this template may use it for Smart Card Logon, Client Authentication, secure email. This template will be customized by duplicating the existing one.
Duplicate the Smartcard User template

Click Start/Administrative Tools/Certification Authority




Expand defined CA
Right-click Certificate Templates and Select Manage








Right-click on Smartcard User and Select Duplicate Template


Select the appropriate Certificate Template Version














In the Properties of New Template, setup this template as described below


































In the General tab, modify the name to MySmartcardUser, increase the Validity period and the Renewal period and select Publish certificate in Active Directory


































In the Request Handling tab, click on the CSPs… button




















Select Requests must use one of the following CSPs

Select, in the list of CSPs, Microsoft Base Smart Card Crypto Provider
Click the OK button


































Click on the Issuance Requirements tab
Click This number of authorized signatures and fill the number 1
Select Application policy
About Application policy, select Certificate Request Agent

Click on the OK button

Publish the templates

Right-click Certificate Templates and Select New → Certificate Template to Issue














Right-click again on Certificate Templates and Select New → Certificate Template to Issue
Select MySmartcard User and click OK to add






















Check you have the MySmartcardUser and Enrollment Agent templates available in Certificate Templates












Enroll the Enrollment agent certificate



Launch the MMC








Add Certificates Snap-In: Click on Files, Click on Add/Remove Snap-in




Select Certificates, click Add






Select My user account, and Finish




Click on he OK button




Back to the MMC Console, right click on the Personal container > All Tasks > Request New Certificate




Click on Next for the two next windows, in the third window, select the Enrollment Agent certificate and then Enroll






The Enrollment Agent certificate is well enrolled. Click on Finish




This certificate is stored in the personal container


Enroll on behalf the Smart User certificate


Ensure that the Base CSP package has been downloaded and installed on the client machine where the smart card user certificate will be issued. For the Gemalto .NET smart card there is no additional software that needs to be installed.




Back to the MMC Console, right click on the Personal container > All Tasks > Advanced Operations > Enroll On Behalf Of




About the Signing certificate. Click on Browse.


Select the Enrollment Agent Certificate


Select Administrator and click on the Next button




Select My Smarcard User template and click next






Select the “End User”




Enter the SmartCard pin code




The smart card is enrolled and can be used for smartcard logon for example.

No comments: