To enroll for a smart card certificate on behalf of someone, the user must have an enrollment agent certificate. The smart card enrollment agent can create smart cards on behalf of any user, including an enterprise administrator.
Follow the steps below to create an enrollment agent trusted to enroll for a smart card certificate on behalf of other users:
Create an Enrollment Agent enabled Smart Card Certificate Template:
- Open the Certificate Template Management console
- Right click the Smartcard User or Smartcard Logon template and choose Duplicate Template
Note: If you are using a Windows 2008 CA or above you will be prompted to select the minimum CA for your new template. Select the 2003 Enterprise option.
- Provide a name for the smart card template and set the validity period that you desire for the environment
- On Request Handling tab, do the following
- Select Signature and smartcard logon under Purpose
- Under CSPs, select the CSP that should be used for your smart cards
- On Issuance Requirements tab, do the following
- Select The number of authorized signatures: and set it to 1
- Under Policy type required in signature, select Application Policy
- Under Application Policy select Certificate request Agent
- On the Security tab, make sure the user or group that is designated as enrollment agent has Read and Enroll permissions on the template
- Click Apply and then OK.
- Close Certificate Templates console
- In the Certificate Authority snap-in, right click Certificate Templates folder and select New
- Select “Certificate Template to Issue”
- Select the new template and click Ok
Specify/adjust the permissions of the Enrollment Agents and publish the Enrollment Agent certifiacte template:
- Open the Certificate Template Management console
- Right-click the EnrollmentAgent template, and then click Properties
- On the Security tab, make sure the user or group designated as an enrollment agent has Read and Enroll permissions on the template, and then click OK
- In the Certificate Authority snap-in, right click Certificate Templates folder and select New
- Select “Certificate Template to Issue”
- Select the Enrollment Agent template and click Ok
Enroll the smart card enrollment agent certificate:
Note: It is recommended to store the enrollment agent certificate on a smart card to provide proper protection
- Log on to the domain with the Enrollment Agent account
- Open certmgr.msc to manage the current users certificates
- Open the Personal folder, right-click in the right-hand pane, and then click All Tasks.
- Click Request New Certificate
- Complete the Certificate Request Wizard and request an Enrollment Agent certificate
Create a smart card certificate for a user using the new smart card template and the enrollment agent:
- Log on to system that has a smart card reader with a user that has an Enrollment Agent certificate
- Open certmgr.msc
- Expand Personal, and then right-click on the Certificates folder
- Select All Tasks > Advanced Operations > Enroll on behalf of from the context menu
- Click Next
- When prompted, browse to the signing certificate for the enrollment agent. Click Next
- Select the certificate template you created, and click Next
- Browse and select the user name (This will be the subject of the smartcard certificate) Click Enroll
The Basics of PKI
Public Key Infrastructure (PKI) refers to the set of hardware, software, people, policies, and procedures necessary to create, manage, store, distribute, and revoke certificates based on public key cryptography. The characteristic operation of PKI is known as certification (the issuance of certificates). PKI certification provides a framework for the security feature known as authentication (proof of identification).
Understanding the role of PKI in identity management involves the following basic terms:
- The Public/Private Key Pair – The mathematics of public/private key pairs is beyond the scope of this guide, but it is important to note the functional relationship between a public and a private key. PKI cryptographic algorithms use the public key of the receiver of an encrypted message to encrypt data, and the related private key and only the related private key to decrypt the encrypted message.
- Digital Signature – A digital signature of a message is created with the signer’s private key. The corresponding public key, which is available to everyone, is then used to verify this signature. The secrecy of the private key must be maintained because the framework falls apart after the private key is compromised.
- Certification Authority (CA) – An authority that trusted to create and issue certificates that contain public keys acting as a trust in a public key infrastructure and providing services that authenticate the identity of individuals, computers, and other entities in a network.
- Certificate – A data structure containing an entities public key and related identification information, which is digitally signed with the private key of the CA that issued it. The certificate securely binds together the information that it contains; any attempt to tamper with it will be detected at the time of use.
- Self-signed – In a self-signed certificate, the public key in the certificate and the key used to verify the certificate are the same. Some self-signed certificates are designated as Root CAs.
- Root CA – A root CA is a special class of CA, which is trusted unconditionally by a client and is at the top of a certification hierarchy. All certificate chains terminate at a root CA. The root authority must sign its own certificate because there is no higher certifying authority in the certification hierarchy.
- Subordinate CA / Intermediate CA / Cross CA / Bridge CA – A CA that has been certified by another CA. Subordination creates a managed trust between separate certification authorities resulting in CA hierarchies.
- Certificate policy and practice statements – The two documents that outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on.
- Public key standards – Standards are developed to describe the syntax for digital signing and encrypting of messages and to ensure that a user has an appropriate private key. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, as specified in RFC5280 is one part of a family of standards for the X.509 Public Key Infrastructure (PKI) for the Internet.
- Revocation and Expiration – Certificates are issued with a planned lifetime, which is defined through a validity start time and an explicit expiration date. Once issued, a certificate becomes valid when its validity time has been reached, and it is considered valid until its expiration date. However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period. Such circumstances include change of name, change of association between subject and CA, and compromise or suspected compromise of the corresponding private key. Under such circumstances, the issuing CA needs to revoke the certificate.
- Registration Authority (RA) – A Registration Authority vouches to a CA for the binding between public keys and the identity and attributes of a prospective certificate holder. Essentially, using the RA is a form of administrative delegation—the CA delegates to the RA the task of verifying the binding of a public key to an entity.
- Certificate Chains – A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice this includes the end certificate, the certificates of intermediate CAs, and the certificate of a root CA trusted by all parties in the chain. Every intermediate CA in the chain holds a certificate issued by the CA one level above it in the trust hierarchy.
