Microsoft Certificate Authority (CA) provides basic smart card certificate templates. However, these standard Microsoft CA templates cannot be used as they are on Windows 2012 and 2016 servers. They must be duplicated and configured first. This section shows how you can set up a Smart Card certificate template on the server that can be used to self-enroll a smart card.
In the Server Manager, choose Tools, then Certification Authority.
Expand your server name to reveal Certificate Folders.
Right click the Certificate Templates folder and choose Manage.
A new window opens with a list of templates in the middle pane. Right click the "Smart Card User" template and select "Duplicate Template". (The Smart Card User template is a general use template that enables computer logon, as well as signing and encryption. If only smart card logon is needed, you can instead select the “Smart Card Logon” template.)
Next, adjust the properties of the new template. Under the Compatibility tab, leave the Windows Server 2003 settings chosen.
Under the General tab, rename the template.
Under the Request Handling tab, select Purpose: "Signature and smartcard logon".
Click through the resulting warning box as shown here.
Note that "Prompt the user during enrollment" gets selected after the warning box, leave that selected.
Under the Cryptography tab, change the minimum key size to 2048, select "Requests must use one of the following providers", and check Microsoft Base Smart Card Crypto Provider. This will ensure that the smart card is used for storing the certificate and keys.
Under the Security tab, be sure the Enroll ability is set for the group or users who will be setting up the smart cards for logon (use the Add button to add groups or individual users).
For the Smartcard User template (but not the Smartcard Logon template), under the Subject Name tab, leave the defaults as they are if the intended smart card users have email addresses filled in the field under General Properties of their user accounts. This is found in the Server Manager under Tools->Active Directory Users and Computers. You may need to click on the Users folder although sometimes it is chosen for you already, then right click the user(s) in question and select Properties.
If the users do not have email addresses in their User Properties, and if you will not be using these certificates to sign emails, under the Subject Name tab, deselect "Include e-mail name in subject name" and "E-mail name" as shown below.
Click OK to save the template. Close that window.
Note: If you will be using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, (Option 2 for deployment from article PIVKey Deployment Overview), you must map the PIV certificates. This can be done using the PIVKey Tool or it can be done in the templates. To do so in the templates, please see article Mapping a PIV Certificate using an OID, which explains how to set it up in the Extensions tab.
The Certificates Template folder contains all the templates assigned to the CA. Some templates are assigned to the CA by default, the new template needs to be issued to be added to the Certification Authority templates. Right click the Certificate Templates folder, choose New, then Certificate Template to Issue.
Choose the template you just created and click Ok. Click the Certificate Templates folder to check that the new certificate template is now visible in that folder.