Issuing certificates directly to smart cards with Windows Certificate Manager

We’ve been working on a plan to deploy smart cards on our standalone network.  For initial certificate issuance, we planned on using the certmgr.msc MMC snap-in.  This is done by right-clicking the Personal folder and selecting All Tasks | Advanced Operations | Enroll On Behalf Of… option.  Everything seemed to be working, but the certificate was only issuing into the local store, and not onto the smart card.  After some trial and error, we found that our issue was an incorrect CSP for the certificate template.  By default, the Smartcard Logon template allows for the use of any CSP (with the Base Crypto Provider as the default).  Prior to issuance, the certificate template must be customized to issue directly to the smart card.  First, make sure that the “Allow private key to be exported” option is NOT selected (otherwise, the next setting won’t be available, which was our problem).  Then, ensure the CSP is set so that the Microsoft Base Smart Card Crypto Provider (or whatever CSP your smart card uses) is the only one allowed.  Once the template is published this way, logon certificates will issue directly to the card!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: