Thursday, December 22, 2011

Installing Windows 2008 R2 Certificate Services for SmartCard Authentication - Part 1

Environment (Hardware & Software)

  1. Windows 2008 R2 Enterprise Edition Certificate Services
  2. Windows 2003 R2 Domain Controllers
  3. VMware View 5 Windows XP clients VDI clients  (Windows XP SP3)
  4. Gemalto .NET SmarCard
  5. Dell FX-100 Zero Client with Dell USB keybord and SmartCard reader
  6. HP 620 Laptop Clients (Windows XP SP3)
Installation Windows 2008 R2 Certificate Services

Start the Service Manager

Click Add Roles

Select Active Directory Certificate Services
Click on the Next button

Click on the Next button

Select Certification Authority, Certificates Authority Web Enrollment, Online Responder
Click on the Next button

Click on Add Required Role Services as IIS is not installed and required

Check Enterprise, Click Next

Check Root CA, click Next

Check Create a new private key, click Next

Select SHA256
Warning: Operating System below the version XP SP3 can’t use certificate signing with a SHA256 key.

Type the Common name of the CA

Enter for the validity period: 5 years

Click on the Next button

Click on the Next button

Click on the Next button

Click Next and then the installation starts

Configuration of the Certificate Services

The following certificate templates need to be published by the CA:

  1. Enrollment Agent: An enrollment agent certificate needs to be issued to any user who will request smart card certificate on behalf of another user during issuance
  2. Smart Card User: Any user issued a certificate based on this template may use it for Smart Card Logon, Client Authentication, secure email. This template will be customized by duplicating the existing one.
Duplicate the Smartcard User template

Click Start/Administrative Tools/Certification Authority

Expand defined CA
Right-click Certificate Templates and Select Manage

Right-click on Smartcard User and Select Duplicate Template

Select the appropriate Certificate Template Version

In the Properties of New Template, setup this template as described below

In the General tab, modify the name to MySmartcardUser, increase the Validity period and the Renewal period and select Publish certificate in Active Directory

In the Request Handling tab, click on the CSPs… button

Select Requests must use one of the following CSPs

Select, in the list of CSPs, Microsoft Base Smart Card Crypto Provider
Click the OK button

Click on the Issuance Requirements tab
Click This number of authorized signatures and fill the number 1
Select Application policy
About Application policy, select Certificate Request Agent

Click on the OK button

Publish the templates

Right-click Certificate Templates and Select New → Certificate Template to Issue

Right-click again on Certificate Templates and Select New → Certificate Template to Issue
Select MySmartcard User and click OK to add

Check you have the MySmartcardUser and Enrollment Agent templates available in Certificate Templates

Enroll the Enrollment agent certificate

Launch the MMC

Add Certificates Snap-In: Click on Files, Click on Add/Remove Snap-in

Select Certificates, click Add

Select My user account, and Finish

Click on he OK button

Back to the MMC Console, right click on the Personal container > All Tasks > Request New Certificate

Click on Next for the two next windows, in the third window, select the Enrollment Agent certificate and then Enroll

The Enrollment Agent certificate is well enrolled. Click on Finish

This certificate is stored in the personal container

Enroll on behalf the Smart User certificate

Ensure that the Base CSP package has been downloaded and installed on the client machine where the smart card user certificate will be issued. For the Gemalto .NET smart card there is no additional software that needs to be installed.

Back to the MMC Console, right click on the Personal container > All Tasks > Advanced Operations > Enroll On Behalf Of

About the Signing certificate. Click on Browse.

Select the Enrollment Agent Certificate

Select Administrator and click on the Next button

Select My Smarcard User template and click next

Select the “End User”

Enter the SmartCard pin code

The smart card is enrolled and can be used for smartcard logon for example.

No comments: