Planning Smart Card Certificate Templates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use any of the following types of Windows Server 2003 certificate templates to enable smart card use in the Windows Server 2003 PKI:

  • Enrollment Agent. Allows an authorized user to serve as a certificate request agent on behalf of other users.

  • Smart Card User. Enables a user to log on and sign e-mail.

  • SmartCardLogon. Enables a user to log on by using a smart card.

You can also create your own certificate templates to serve multiple purposes. For example, the smart card logon certificate template is designed for smart card logon only. If you intend to use your smart card infrastructure to support multiple applications, you can choose multipurpose templates instead. Multipurpose templates generate certificates that you can use for multiple applications, such as smart card logon and e-mail signing.

Note

  • Windows 2000 only supports version 1 templates, which cannot be customized or extended. Use Windows Server 2003, Enterprise Edition, which supports version 2 templates, if you need to create new certificate templates, copy an existing template, or replace templates that are already in use.

As part of your planning for smart card certificate templates, you need to establish values for public keys, certificate lifetimes, and certificate renewal policies. These values are interrelated. For example, if you select a larger key value, you can implement a longer certificate lifetime. Or, you can use a small public key value if a certificate has a relatively short lifetime. Note, however, that the amount of memory that is available on the smart cards that you select also limits the size of the public keys that you can use.

Important

  • Many organizations pre-enroll users for smart card certificates several weeks before they distribute smart cards to users. The certificate lifetime is determined by the date that you issue the certificate, not the date that you distribute the card to the user. Therefore, factor any distribution delays into your certificate lifetime and renewal strategy.

A Windows Server 2003 CA allows you to select a certificate public key length from 384 bits for minimal security to 16,384 bits for maximum security. For typical logon applications, a 1,024-bit key is adequate.

You can establish certificate lifetimes that are as long or as short as you need, and you can configure certificates to be nonrenewable, renewable a finite number of times, or renewable indefinitely.

To define public key values and certificate lifetimes and renewal policies, take into account:

  • The physical capacity of your smart cards. Most of the smart cards that are available today have adequate space for all but the largest certificates.

  • How you define acceptable logon times. Public key–based authentication often takes longer than authentication without certificates.

    Note

    • The smart card and smart card reader that you choose might also impact logon performance. Test different combinations until the terms specified in your service level agreements are satisfied.
  • The nature of the business relationship. Smart card certificates issued to permanent employees usually warrant a longer lifetime and renewal cycle than certificates issued to short-term workers or to nonemployees.

  • The level of security that you want to enforce. Highly sensitive operations warrant larger public key values and, typically, shorter certificate lifetimes.

For more information about planning public key and certificate renewal values, see "Designing a Public Key Infrastructure" in this book. For more information about how to configure certificate templates, see "Certificate Templates" in Help and Support Center for Windows Server 2003.