Issuing a Smart Card Using Microsoft Certificate Authority

Enroll a Smart Card for a User with Internet Explorer

  1. From the enrollment station, connect to the “Smart Card Certificate Enrollment Station” web page of the CA.
    This smart card enrollment web page can be found at http://<machine-name>/certsrv/ where the <machine-name> is the machine where you have installed the CA.
  2. Select Request a certificate.
  3. Select Advanced certificate request.
  4. Select Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.
    The Smart Card Certificate Enrollment Station window opens.
  5. Under Enrollment Options:
    • From the Certificate Template drop-down list, choose Smartcard User.
    • From the Cryptographic Service Provider drop-down list, select Microsoft Base Smart Card Crypto Provider.
    • Ensure the correct Enrollment Agent certificate is selected in the Administrator Signing Certificate box.
  6. Select a User to Enroll by clicking Select User.
  7. Enter the user name in which you are enrolling a certificate in the Enter the object name to select field.
  8. Click Check Names to verify the entry, and then click OK.
  9. Verify the user’s smart card is inserted into the smart card reader.
  10. Click Enroll to enroll a smart card user certificate for the user.
  11. Enter the PIN, and then click OK to continue.
    After the certificate request has been made, the CA will sign the request and return a certificate. This certificate is automatically placed on the smart card. You might be prompted to confirm the issuance of a certificate.
    At the end of the smart card enrollment process, you are informed that the smart card is ready for use.
  12. You can verify if the certificate contains the correct personal information about the user by clicking View Certificate. You also have the opportunity to enroll a new user by clicking New User.

Enroll a Smart Card for a User with MMC

  1. Open the management console by typing mmc in the Start > Run menu.
  2. Add the Certificates snap-in from the File > Add/Remove Snap-in menu.
  3. Right-click on the Certificates node.
  4. Go to All Tasks, then Advanced Operations, and then click Enroll on behalf of.
  1. Click Next.
  1. Browse to the Enrollment Agent Certificate that you created on the enrollment station.
  1. Select Smartcard User, and expand the Details view.
  1. Click Properties.
  1. Make sure that Microsoft Base Smart Card Crypto Provider is selected as the CSP, and click OK.
  1. Click Browse to select the user for whom you want to enroll the smart card.
  1. Enter the user name, and click OK. If necessary, click Check Names to make sure you have selected the correct user.
  1. When prompted, insert the smart card into the reader.
  2. If you are prompted to enter the PIN, do so and then click OK to continue.
    After the certificate request has been made, the CA will sign the request and return a certificate. This certificate is automatically placed on the smart card.
  1. Click Finish.