A smart card enrollment station allows a designated employee or agent to issue smart cards from one centralized workstation or from one of any number of designated workstations. Designating enrollment stations and agents simplifies the physical preparation of the card to be issued, reduces the chance for certificate service interruption, and prevents users and managers from validating their own identification and issuing their own certificates, especially for organizations or environments in which different levels of security and access exist.
Prepare a smart card certificate enrollment station
Before requesting smart card logon certificates for users:
-
The enrollment agent and smart card logon or smart card user certificates must be configured and enabled for the certification authority (CA).
-
If desired, enrollment agent restrictions must be configured.
-
The enrollment agent has to be enrolled on behalf of other users for the enrollment agent certificate.
-
On the computer that you will use to set up smart cards, follow the manufacturer's instructions to install a smart card reader.
The following procedures explain how to enroll for smart card certificates on behalf of other users and how to prepare the enrollment station once the enrollment agent certificate is available. These procedures can be completed on any computer running Windows 7 or Windows Vista, or on a Windows Server 2008 R2 or Windows Server 2008 member server that you want to use as a smart card certificate enrollment station.
Membership in the Users group and an enrollment agent certificate are the minimum requirements to complete this procedure.
To enroll for a certificate on behalf of other users |
Open the Certificates snap-in for a user.
To confirm that you are in Logical certificate stores view, right-click Certificates - Current User, point to View, click Options, verify that Logical certificate stores is selected, and then click OK.
In the console tree, expand the Personal store, and then click Certificates.
On the Action menu, point to All Tasks, click Advanced Operations, and then click Enroll on behalf of to open the Certificate Enrollment Wizard. Click Next.
Browse to the enrollment agent certificate that you will use to sign the certificate request that you are processing. Click Next.
Select the type of certificate that you want to enroll for. When you are ready to request a certificate, click Enroll.
After the Certificate Enrollment Wizard has successfully finished, click Close.
To complete the following procedure, you must be logged on as a domain user with appropriate privileges to add snap-ins.
To prepare a smart card certificate enrollment station |
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
In Snap-in, double-click Certificates.
Click My user account, and then click Finish.
Click Close, and then click OK.
Double-click Certificates - Current User.
In the console tree, click Personal.
On the Action menu, point to All Tasks, and then click Request New Certificate.
In the Certificate Enrollment Wizard, click the Enrollment Agent certificate template and provide the requested information.
When prompted by the Certificate Enrollment Wizard, click Install Certificate.
Additional considerations
-
You can install the enrollment agent certificate on a smart card. To do this, you must use the smart card manufacturer's cryptographic service provider (CSP) when requesting the certificate. (In the Certificate Request Wizard, click Advanced Options to select a smart card CSP for the enrollment agent certificate.)
-
Once someone has an enrollment agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Therefore, it is recommended that your organization maintain very strong security policies to restrict the use of enrollment agent certificates.
Additional references
-
To configure an enrollment agent certificate template for issuance from a CA, see Managing Certificate Templates (
https://go.microsoft.com/fwlink/?LinkId=142230 ).
-
To configure a restricted enrollment agent, see Establish Restricted Enrollment Agents.