Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication 7
Smart Card Logon Certificates
Enrollment for a Smart Card Logon Certificate
Any entity wishing to obtain a smart card logon certificate for use with Active Directory can initiate the process by
following these steps:
1
Go to the
Enroll Certificate using Browser
page for an appropriate CA account/sub-account on the public side of the
CertAgent website.
2
Select the
CSP
associated with your smart card.
3
Select
Both
for the
Key Usage
value.
4
Deselect the checkbox labeled
Mark keys as exportable
.
5
Fill in the rest of the form and click
Submit
.
6
Once your certificate request has been accepted, make a note of the request ID generated by the system.
Issuing a Smart Card Logon Certificate
A CertAgent CA may follow these steps to issue the certificate:
1
Login to the CertAgent CA account to which the certificate request has been submitted.
2
Click the desired certificate request from the pending list to open the advanced dialog.
3
Select
Issue certificate with customized settings
from the
Action
drop-down list.
4
Customize the extensions for this certificate as follows:
• under CRL Distribution Point, enter a CRL distribution point URL.
• under Key Usage, check only the
digital signature
checkbox.
• under Extended Key Usage, check only the
client authentication
and
MS: Smart Card Logon
checkboxes.
• under Subject Alternative Name, add an
Other Name
field and complete its attributes as follows:
specify an
OID
of
1.3.6.1.4.1.311.20.2.3
set
UTF8 String
as the type of the attribute and enter the principal name as its value (for example,
• Basic Constraints are optional, but if you include them be sure to deselect the
CA
checkbox.
5
Review the changes and then click
Submit
to issue the certificate.
For more detailed instructions on enabling smart card logon, see
http://support.microsoft.com/kb/281245
.
Installing a Smart Card Logon Certificate
Once a smart card logon certificate has been issued, the entity who requested it may retrieve it and install it on their
computer as follows:
1
Go to the
Retrieve Certificate
page of the CertAgent public site.
Kommentare zu diesen Handbüchern