Setting up a Smart Card Template for Self-Enrollment (Server 2012 R2 & 2016)

Microsoft Certificate Authority (CA) provides basic smart card certificate templates. However, these standard Microsoft CA templates cannot be used as they are on Windows 2012 servers. They must be duplicated and configured first.  This section shows how you can set up a Smart Card certificate template on the server that can be used to self-enroll a smart card.

First, go to the CA snap-in.  In the Server Manager, choose Tools, then Certification Authority. 

Server_Manager_CA.png

Expand your server name to reveal Certificate Folders.

Expand_Server_Name.png

Right click the Certificate Templates folder and choose Manage.

Manage_Templates_in_CA.png

A new window opens with a list of templates will be in the middle pane.  Right click the "Smart Card User" template and select "Duplicate Template".  (The Smart Card User template is a general use template that enables computer logon, as well as signing and encryption.  If only smart card logon is needed, you can instead select the “Smart Card Logon” template.)

Choose_Smart_Card_User_Duplicate.png

Next, adjust the properties of the new template.  Under the Compatibility tab, leave the 2003 settings chosen.  

 Compatibility_2003.png

Under the General tab, rename the template.

Rename_the_Template.png

 Under the Request Handling tab, select Purpose: "Signature and smartcard logon".

Request_Handling.png

Click through the resulting warning box as shown here.

Request_Handling_Warning.png

Note that "Prompt the user during enrollment" gets selected after the warning box, leave that setting.

Under the Cryptography tab, change the minimum key size to 2048, select "Requests must use one of the following providers", and check Microsoft Base Smart Card Crypto Provider.  This will ensure that the smart card is used for storing the certificate and keys.

Cryptography_Tab.png

Under the Security tab, be sure the Enroll ability is set for the group or users who will be setting up the smart cards for logon (use the Add button to add groups or individual users).  

Security_tab_for_template.png

For the Smartcard User template (but not the Smartcard Logon template), under the Subject Name tab, leave the defaults as they are if the intended smart card users have email addresses filled in the field under General Properties of their user accounts.  This is found in the Server Manager under Tools->Active Directory Users and Computers, you may need to click on the Users folder although sometimes it is chosen for you already, then right click the user(s) in question and select Properties.

UserEmail.png

If the users do not have email addresses in their User Properties, and if you will not be using these certificates to sign emails, under the Subject Name tab, deselect "Include e-mail name in subject name" and "E-mail name" as show below.

Subject_Name.png

Click OK to save the template.  Close that window.

Note:  If you will be using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, (Option 2 for deployment from article Getting Started with PIVKey Management), you must map the PIV certificates.  This can be done using the PIVKey Tool or it can be done in the templates.  To do so in the templates, please see article Mapping a PIV Certificate using an OID, which explains how to set it up in the Extensions tab.

 

The Certificates Template folder contains all the templates assigned to the CA. Some templates are assigned to the CA by default, the new template needs to be issued to be added to the Certification Authority templates.  Right click the Certificate Templates folder, choose New, then Certificate Template to Issue.  

Cert_Template_to_Issue.png

Choose the template you just created and click Ok.  Click the Certificate Templates folder to check that the new certificate template is now visible in that folder.

You are now ready to have users self-enroll their smart card certificates.  See article Self-enrolling a Smart Card Certificate

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk