Versions Compared

Old Version 2

changes.mady.by.user Adam Darwin

Saved on

compared with

New Version 3

changes.mady.by.user Adam Darwin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

1 Overview

This document is mainly about how to configure Certificate Authority at Windows Server before smart card login certificates can be requested and loaded to FIDO keys. There are five main parts:

  • Create a smart card login template
  • Publish the template in the Certification Authority
  • Edit Group Policy about user enrollment
  • Auto-enroll certificate at user 's machines
  • Manually enroll for current user

2 Prerequisites

  • A Windows Server with domain controller and certificate authority configured. In this document, Windows Server 2016 with AD CA is used.
  • Guest machines (could be the Windows Server itself) and available Windows accounts which have already joint in the CA 's domain. In this document a Windows 10 enterprise is used.
  • The FIDO product supports PIV function.
  • The Minidriver of EsMiniTokenSetup.exe is installed in relevant machines.

3 Set up the Smart Card Login Template for User Self-Enrollment

A smart card login certificate template is required before loading certificate to your keys. Follow the steps on the Windows Server that runs CA:

3.1 Create a Smart Card Login Template for User Self-Enrollment

  1. Press Win+R, type "certtmpl.msc" and press Enter.

...

  1. Click Apply, and then click OK to close the template properties window. Close the Certificate Templates window.

3.2 Adding the Template to the Certification Authority

  1. Right-click the Windows Start button and select Run.
  2. Type "certsrv.msc" and press Enter.
  3. Click Certification Authority, double-click your server, right-click Certificate Templates, select New and then select Certificate Template to Issue.

...

  1. Locate and select the recently created self-enrollment template, and then click OK

3.3 Editing Group Policy to Enable Auto-Enrollment

  1. Right-click the Windows Start button and select Run.
  2. Type "gpmc.msc" and press Enter.
  3. Navigate to the AD forest and Domain containing your server, double-click your server and double-click Group Policy Objects.
  4. Right-click on the group policy you want to edit, and then select Edit.

...

  • You may need to restart your machine to apply these changes

4 Using Auto-Enrollment to Enroll Users

This section describes the steps users will need to follow to auto-enroll their key for Login.

...


Enter Smart Card Pin, default '123456', and then you are logged in.

5 Enroll manually

If you want to enroll the certificate manually, or something unexpectedly stop the auto enrollment, you can change the properties of the certificate template and enroll it by userself.
First open the certificate template at certtmpl.msc, move to Security tab and uncheck the Autoenroll permission at certificate template security tab.

And then run certmgr.msc, move to Personal-Certificates, right click, All tasks, Request New Certificate.

Next,

Click 'next'

Select the certificate template you created at previous steps.

Success. Next time you login to this account with our key inserted, you can use smart card logon method.