Category Archives: Smart Card

Issuing certificates directly to smart cards with Windows Certificate Manager

We’ve been working on a plan to deploy smart cards on our standalone network.  For initial certificate issuance, we planned on using the certmgr.msc MMC snap-in.  This is done by right-clicking the Personal folder and selecting All Tasks | Advanced Operations | Enroll On Behalf Of… option.  Everything seemed to be working, but the certificate was only issuing into the local store, and not onto the smart card.  After some trial and error, we found that our issue was an incorrect CSP for the certificate template.  By default, the Smartcard Logon template allows for the use of any CSP (with the Base Crypto Provider as the default).  Prior to issuance, the certificate template must be customized to issue directly to the smart card.  First, make sure that the “Allow private key to be exported” option is NOT selected (otherwise, the next setting won’t be available, which was our problem).  Then, ensure the CSP is set so that the Microsoft Base Smart Card Crypto Provider (or whatever CSP your smart card uses) is the only one allowed.  Once the template is published this way, logon certificates will issue directly to the card!