1 Overview

This document is mainly about how to configure Certificate Authority at Windows Server before smart card login certificates can be requested and loaded to FIDO keys. There are five main parts:

• Create a smart card login template
• Publish the template in the Certification Authority
• Edit Group Policy about user enrollment
• Auto-enroll certificate at user 's machines
• Manually enroll for current user

2 Prerequisites

• A Windows Server with domain controller and certificate authority configured. In this document, Windows Server 2016 with AD CA is used.
• Guest machines (could be the Windows Server itself) and available Windows accounts which have already joint in the CA 's domain. In this document a Windows 10 enterprise is used.
• The FIDO product supports PIV function.
• The Minidriver of EsMiniTokenSetup.exe is installed in relevant machines.

3 Set up the Smart Card Login Template for User Self-Enrollment

A smart card login certificate template is required before loading certificate to your keys. Follow the steps on the Windows Server that runs CA:

3.1 Create a Smart Card Login Template for User Self-Enrollment

1. Press Win+R, type "certtmpl.msc" and press Enter.

1. Click Certificate Templates, right-click Smartcard Logon, and select Duplicate Template.

1. Select the General and Compatibility tab, and make the following changes:

The Certification Authority should be your CA server 's OS version and the Certificate recipient should be your oldest OS version that the domain includes.

1. Select the Request Handling and Cryptography tab, and make the following changes as needed.

• Algorithm name: Select either RSA, ECDH_P256,or ECDH_P384 from the dropdown. Note: ECDH_P521 is not supported.
• Note that if an ECDH algorithm is selected, the client Windows systems need to have Elliptic Curve Cryptography (ECC) Certificate Login support added using Group Policy or by editing the registry.
• Minimum key size: If you selected RSA in the previous step, enter 2048. If you selected ECDH_P256 or ECDH_P384 in the previous step, this field automatically populated.
• In general, do not check "Allow private key to be exported" unless you need to help other client users of this domain to enroll their keys.

1. On the Security tab, make sure to add Read, Write and Enroll to administrator groups and Enroll and Autoenroll permissions to the target users.

• Make sure there are "Domain Users" and ensure the options for all users are checked for at least Read, Enroll, and Autoenroll. Other user 's permission could be set by needs.

1. Click Apply, and then click OK to close the template properties window. Close the Certificate Templates window.

3.2 Adding the Template to the Certification Authority

1. Right-click the Windows Start button and select Run.
2. Type "certsrv.msc" and press Enter.
3. Click Certification Authority, double-click your server, right-click Certificate Templates, select New and then select Certificate Template to Issue.

1. Locate and select the recently created self-enrollment template, and then click OK

3.3 Editing Group Policy to Enable Auto-Enrollment

1. Right-click the Windows Start button and select Run.
2. Type "gpmc.msc" and press Enter.
3. Navigate to the AD forest and Domain containing your server, double-click your server and double-click Group Policy Objects.
4. Right-click on the group policy you want to edit, and then select Edit.

1. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
2. Right-click Certificate Services Client – Certificate Enrollment Policy and select Properties.

1. Make changes as below:

1. Right-click Certificate Services Client – Auto-Enrollment Policy and select Properties and make changes as below:

1. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Apply same changes to same polices.

• You may need to restart your machine to apply these changes

4 Using Auto-Enrollment to Enroll Users

This section describes the steps users will need to follow to auto-enroll their key for Login.

1. Log into a user account on a Windows 10 PC connected to the domain. A Certificate Enrollment notification appears above the System Tray.

1. Click the Certificate Enrollment notification to open the Certificate Enrollment wizard. If the popup has disappeared (or didn't initially appear) click the arrow in the System Tray to expand the list of options and click on the certificate icon.
2. On the initial screen, click Next.

1. Select the newly created certificate template and click Enroll.

1. Enter your key 's PIV PIN and then click OK. If that PIN has not been set, enter the default PIN:123456.

Note: Mini drier: 'EsMiniTokenStepup' is required in this stage, otherwise, it will be 'read-only'.

1. Windows will enroll the for Windows login. After the process succeeds, click Finish.

1. Check the windows certificate store, the new cert is also stored in the cert store, as well as the smart card token.

1. When you login to this machine next time, you can select Smart Card method to logon.

Enter Smart Card Pin, default '123456', and then you are logged in.

5 Enroll manually

If you want to enroll the certificate manually, or something unexpectedly stop the auto enrollment, you can change the properties of the certificate template and enroll it by userself.
First open the certificate template at certtmpl.msc, move to Security tab and uncheck the Autoenroll permission at certificate template security tab.

And then run certmgr.msc, move to Personal-Certificates, right click, All tasks, Request New Certificate.

Next,

Click 'next'

Select the certificate template you created at previous steps.

Success. Next time you login to this account with our key inserted, you can use smart card logon method.