This article provides resources to help set up an environment as described in this article:
Requirements for Issuing Smart Card Certificates
There are many resources on the internet showing how to set up such an environment, found by simply searching for how to articles and videos. We’ve linked to Microsoft branded resources in this article, but there are many other helpful and reputable articles and videos available online. One source that we have found particularly user-friendly is the Windows 10 Forums. While it is not owned or operated by Microsoft and thus is use as your own risk, they have many tutorial articles and videos about these topics.
The description below is for a simple testing environment. A full production environment would be much more complex requiring a good deal of planning and design. Some articles to visit:
- An older blog series with some excellent information can be found here:
Designing and Implementing a PKI
- Another slightly dated article with some good information is this one:
Enterprise PKI with Windows Server 2012 R2
For more in-depth information, visit the Microsoft Virtual Academy which provides free online training courses. Some examples of courses relevant to this topic include:
- Windows Server 2012 Implementing a Basic PKI
- Windows Server Administration Fundamentals
- Understanding Active Directory
Or consider formal training in Microsoft technologies. Some courses that cover these topics include:
- Course 2821A: Deploying and Managing a Public Key Infrastructure
- Course 10967A: Fundamentals of a Windows Server Infrastructure
- Course 10969B: Active Directory Services with Windows Server
- Course 20742B: Identity with Windows Server 2016
Step by Step Setup
- First requirement is a Windows Server. PIVKey supports versions of Server 2008, 2012 and 2016. For help installing the Windows Server operating system, see Windows Server 2016 Installation.
- Next the server needs to be configured, Active Directory Services installed and it needs to be promoted to a Domain Controller. This article is for Server 2012 R2 but the steps should be very close if not identical:
Building Your First Domain Controller on 2012 R2
After the server restarts, if there is a network error, go back into the network settings to check and reset the primary DNS server (some versions of Windows Server have been known to change it after promotion to Domain Controller).
- The next step is adding Active Directory Certificate Services in Enterprise mode:
Install the Certification Authority
(NOTE: SHA1 is fine in a test environment, a stronger hash algorithm may be needed in production environments.) Restarting the server is recommended after setting up the CA.
- Users will need to be created in the new Active Directory. To do so, go to Tools and choose Active Directory Users and Computers. For testing purposes, consider creating a user account that will self-enroll as well as a second user account to be enrolled by the first user.
Click on the User folder then choose Action, New, User. Fill in the fields for the user. Click Next.
Give the new user a password and set the rules for it. One note: if the users will be getting certificates to sign emails, there must be an email address filled in the field under General Properties of their user accounts. To add one, right click the user name just created and select Properties. Enter the email address in the field.
Note that there are many options, and that users can also be placed into groups. An Active Directory Group can be created specifically to have permissions for certificate administration.
- In addition to users, client computers also need to be joined to the domain. To do so, update the client computer’s DNS settings to specify that the Preferred DNS is set to the server’s IP address. Then go to the Control Panel, choose System and Security, then System. On the right-hand side of the window, click Change Settings. Then choose Change. It’s a good idea to change the computer’s name to something easy to remember first. Enter a new name and restart. After the restart, go back into the System control panel again, choose Change Settings, and Change. Select Domain instead of Workgroup and enter the name of the new domain. Next is a prompt for a user name and password. Enter one of the users created in the domain in the previous step or a server admin name and password. Once authenticated, note the welcome to the domain message.
After templates are created on the server, a client computer can be used as an enrollment station to log into the domain with one of the user or admin accounts to request and load certificates onto the PIVKey. See the articles in the section: Windows CA on the PIVKey help desk.