Certificate Availability

Some applications (for example, Firefox and Thunderbird) are smart card-aware and automatically access smart card-based certificates using ActivClient libraries (in this case, the ActivClient PKCS#11 library).

Other applications (for example, Internet Explorer, Microsoft Edge and Microsoft Outlook) require the certificates to be available in Microsoft Windows (specifically registered to the Microsoft Windows CAPI store) prior to using them.

ActivClient leverages a Microsoft Windows feature to automatically register smart card certificates in the Microsoft Windows CAPI store on card insertion (this is often referred to as 'certificate propagation'). This feature is controlled by a Microsoft Windows policy. See Certificate Registration for details.

The following are ActivClient policies that complement the Microsoft Windows policy:

  • Display certificate replacement warning

  • Remove certificates from Microsoft Windows on logoff

  • Remove certificates from Microsoft Windows on smart card removal

  • Turn off automatic configuration of Microsoft Windows EFS smart card certificate

Important:

Restart the Workstation

For the Certificate Availability policy changes to be applied, you must restart the workstation.

Display certificate replacement warning

Description:

Defines if a warning is displayed before the default certificate is replaced during certificate download with Microsoft Internet Explorer.

If this setting is not configured or disabled, then the warning is not displayed.

Remove certificates from Microsoft Windows on logoff

In a deployment, several users can share the same computer (kiosk), and sometimes use the same user account on the kiosk. This functionality for administrators allows to automatically remove the certificates that were registered automatically. This feature requires that the smart card is inserted in the card reader during the log-off operation.

Description:

Defines if user certificates are removed from Microsoft Windows when users log off.

Enable this feature if you are using a shared Microsoft Windows account and you do not want to see the certificates from all the users using their smart card on this computer, or if this computer is primarily used to issue smart cards for other users.

If this setting is not configured or disabled, then certificates are not removed from Microsoft Windows on logoff.

When this setting is enabled, the smart card must remain inserted during logoff for certificates to be removed from Microsoft Windows properly.

Remove certificates from Microsoft Windows on smart card removal

Description:

Removes user certificates from Microsoft Windows when users remove their smart card.

Enable this feature if you are using a shared Windows account and you do not want to see the certificates from all the users using their smart card on this computer, or if this computer is primarily used to issue smart cards for other users.

If this setting is not configured or disabled, then certificates are not removed from Microsoft Windows on card removal.

Turn off automatic configuration of Microsoft Windows EFS smart card certificate

Description:

Disables the automatic configuration of the Encrypting File System feature with a smart card certificate after Microsoft Windows PKI smart card logon. This feature automatically selects which certificate will be used for EFS.

If this setting is not configured or disabled, then the certificate that will be used for EFS is automatically selected.