Note: This article assumes you have set up the Windows Certification Authority with the correct Smart Card certificate templates (see articles on Setting up a Smart Card for Self-Enrollment for the Windows Server version being used). In addition the PC on which you are enrolling has to be joined to the Domain from which the certificate is issued.
To self-enroll a smart card certificate for yourself , ensure you are logged in as the correct user and run MMC.exe. The MMC console will appear.
Select "Add Remove Snap" from the File menu. Select Certificates and then "My User account" or "Current User". Note this may default for you.
Under "Certificate“ Current user, right click the Personal folder, select "All Tasks" and select "Request New Certificate"
Click through the first screen to see the list of available templates.
Select the smart card user template you have just created and click Next or Enroll.
Enter the smart card Pin and click OK.
Depending on the smart card and the key size chosen, the key and certificate enrollment process may take as long as 30 seconds. (Should you receive a security violation error saying the certificate request could not be created, click the Retry button.) On success the following appears:
At this point, the smart card is ready to be used if you will be using the PIVKey Minidriver for deployment (Option 1 from the article Getting Started with PIVKey Management). Option 1 requires the PIVKey Minidriver User software be installed on all machines where the card will be used.
If you will be using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, for deployment (Option 2 from article Getting Started with PIVKey Management), then you must map the PIV certificates (or they could have been set up to map using an OID in the certificate templates Extensions property tab, see Mapping a PIV Certificate using an OID).