Managing a Device With the Crescendo Minidriver
This section explains how to issue a device for other users as well as for yourself.
Prerequisites
- Microsoft Windows 2016 Server (or higher) is installed and configured as a Primary Domain Controller.
- Active Directory is configured to manage users and computers.
- DNS Server is configured with your domain name.
- Internet Information Services (IIS) is installed (to be able to request a certificate through the Smart Card Enrollment Station.
- Microsoft Windows Certificate Services is installed and configured.
-
Microsoft CA is configured with an issuance Certificate Template for smart card logon onto the domain. It must include the following certificates:
- Enrollment Agent — intended for entities authorized to enroll certificates on behalf of others. For example, administrators needing to deploy smart card logon certificates for organization employees require an "Enrollment Agent" certificate.
- Smart Card Logon — intended for smart card logon onto the domain.
- Smart Card User — an all-round certificate, intended both for smart card logon and, for example, signing and encrypting email messages and web authentication.
- Microsoft CA Registration Authority (RA) station is created with:
- All the drivers required for your HID Crescendo card and smart card reader.
- An Enrollment Agent Certificate configured with Microsoft Enhanced Cryptographic Provider 1.0 or similar as the CSP.
Note: Enrollment for a smart card certificate must be a controlled procedure, in the same manner that employee badges are controlled for purposes of identification and physical access.
The recommended method for enrolling users for smart card-based certificates and keys is through the Smart Card Enrollment station that is integrated with Certificate Services in Microsoft Windows Server 2008.
Therefore, the section Issuing a Smart Card Using Microsoft Certificate Authority describes the process of how to enroll for a smart card user or smart card logon certificate through the Smart Card Enrollment Station. Typically, this process is managed by your system administrator.
As a user, request your own certificate through the Microsoft Certificate Services interface on your local workstation. In this case, a domain user cannot enroll for a Smart Card Logon certificate (which provides authentication) or a Smart Card User certificate (which provides authentication plus the capability to secure e-mail) unless a system administrator has granted the user access rights to the certificate template stored in Active Directory. This is described in the section Importing Certificates Using Microsoft Windows.
The recommended method for enrolling users for smart card-based certificates and keys is through the Smart Card Enrollment station that is integrated with Certificate Services in Microsoft Windows Server 2008.
Therefore, the section Issuing a Smart Card Using Microsoft Certificate Authority describes the process of how to enroll for a smart card user or smart card logon certificate through the Smart Card Enrollment Station. Typically, this process is managed by your system administrator.
As a user, request your own certificate through the Microsoft Certificate Services interface on your local workstation. In this case, a domain user cannot enroll for a Smart Card Logon certificate (which provides authentication) or a Smart Card User certificate (which provides authentication plus the capability to secure e-mail) unless a system administrator has granted the user access rights to the certificate template stored in Active Directory. This is described in the section Importing Certificates Using Microsoft Windows.
Topics in this section
