Deploying Smart Cards
This paper is part of a series of white papers known as " The Smart Card Deployment Cookbook."
On This Page
This paper discusses the installation and configuration of the smart card enrollment station. The enrollment station and security officer work on behalf of the enrollee to "flash" one or more certificates to the newly issued smart card. The security officer has a unique certificate that allows certificates to be written to protected areas on the issued card.
The benefits of a smart card enrollment station are extensive. Primarily, the enrollment station can help centralize, organize, and account for issuing smart cards. The enrollment process is a formal process in which enrollees prove their identity by using one or more forms of identification, and the company issues the appropriate keys. If practical, a scaled-down enrollment station can be placed at a reception desk and temporary cards can be issued for visitors and guests.
A centralized enrollment station can also:
Simplify the physical preparation of the card to be issued. In some deployments, decals may be applied to the card at the time of issue.
Reduce the chance for certificate service interruption. Because the certificate servers are isolated, the opportunity for human intervention or accident is lessened.
Prevent users and managers from validating their own identification and issuing their own certificates, especially for environments in which varying levels of security and access exist.
It is crucial to implement a security department to reduce the chance for collusion. This means that employees cannot initiate their own enrollment process; only managers can authorize and issue smart cards. The security department also determines the extent to which the smart card will be used. However, because the security department is a separate neutral party, it is in the best position to verify that the card is appropriate for the enrollee, and in alignment with company policy and the department or departments with which the enrollee is associated.
Setting Up the Enrollment Station
Before a smart card can be used effectively, one or more readers must be available to the enrollment candidate. When your test or lab work moves into full corporate deployment, a process can be implemented that confirms to the security department that the card reader is installed and ready for use. The process might be similar to the following pre-enrollment scenario:
The enrollment candidate initiates the enrollment process after reporting on the type of card reader required; USB, serial, keyboard, and so on.
When the card reader arrives, the enrollee candidate begins installation. After installation is complete, the candidate views the security Web site and completes the smart card "Terms and conditions for use" agreement. A copy of the confirmation is sent to the manager, who then launches authorization to the smart card enrollment station.
The candidate commutes to the enrollment station to obtain the smart card.
Requesting a Certificate
You can start the certificate request process by opening the certification authority (CA) for the subordinate CA. Under policy settings, confirm that the Enrollment Agent template is present in the list. In the following illustration, the Hay Buv Toys (HBT) smart card CA policies are minimized to allow only smart card enrollment agent, user, and logon certificate functionality.
At Hay Buv Toys, a PKI_Admins group was added to the organizational unit. A Security Smart Card group is associated with the PKI_Admins group, and the permissions are shown in the illustration that follows. The named enrollment agents are homed to this group.
Return to the named smart card sub-CA. Open AD Sites and Services to view the certificate templates.
Open the Security Settings associated with the Enrollment Agent, and add the Security Smart Card group.
A Microsoft Windows 2000 SP1 Professional computer is recommended for the enrollment station. The computer can be a laptop that the enrollment officer commutes with, if required.
After permissions are granted on the enrollment template, you are ready to generate an enrollment agent certificate. You can sign in as a member of the Security Smart Card group.
Open the browser. In the Tools/Internet Options/Trusted Sites category, add the location of the sub CA's certificate service page to the Trusted Site list.
Open the smart card sub CA's certificate service from the browser, click Request a certificate, and then click Next.
Click Advanced request, and then click Next.
Click Submit a certificate request to this CA using a form, and then click Next.
From the Certificate Template menu, select Enrollment Agent. Under Key Options, select Microsoft Enhanced Cryptographic Provider v1.0 as your provider. In the example below, 1024 was selected as the Key Size from the common suggested lengths.
If you need to install the certificate on multiple workstations or for backup and restore during full deployment, activate the Mark keys as exportable option. During backup, be advised that the private key is also copied; protect your backup media in accordance with the smart card security policy that you determine for your company.
The Certificate Issued confirmation page appears. Click Install this certificate.
Be sure to review the lifespan or your certificate, and be aware that it can be renewed. A shorter lifespan assists in ensuring that rights and responsibilities associated with specific administrative roles are adjusted as personnel change positions or leave your company.
Enrolling a Certificate on Behalf of Another User
The enrollment computer and agent are now equipped to enroll smart card users. To begin this process, request a certificate from the sub-CA by using the enrollment machine. Sign in as the enrollment agent.
Click Request a certificate, and then click Next.
Click Advanced request.
Click Request a certificate for a smart card on behalf of another user using the Smart Card Enrollment Station.
The first time you complete this process, you will be prompted to install and run the Enrollment Station Control. Click Yes to continue.
On the Certificate Template menu, click the Smartcard Logon template. If you configured multiple sub-CAs, point the certificate request to the proper sub-CA. On the Cryptographic Service Provider menu, select the associated service provider, and the user to whom the logon certificate will be issued. In this example, the enrollee candidate is using a smart card and reader associated with GemPlus.
You are prompted to select the installed certificate that is authorized to perform the enrollment action. Click to select the certificate, and then click OK.
You are then prompted to insert the enrollee's smart card. Click OK.
Insert the user's smart card into the reader/coupler, type the default card PIN, and then click OK. Most vendors ship cards with a universal default PIN. For example, GemPlus uses 1234.
The enrollment officer must know the default PIN. Notice the option to change the PIN. The enrollment officer should create a new default PIN which is known only to the enrollee or the officer. The officer should observe and confirm a default PIN change that is performed by the enrollee. When you implement smart cards during full deployment, the new default PIN might have a limited lifespan, such as 24 hours. During this period, the enrollee must change the PIN to a permanent personal alphanumeric sequence.
The logon certificate is "flashed" to the smart card, and a status summary screen appears.
The certificate properties can also be viewed. During full deployment, you can take a screen capture of this banner and send it by using e-mail to the newly enrolled user's manager as a confirmation that the process completed successfully.
After you have reviewed the information on this page, click View Certificate to review the certificate information.
Because of the comprehensive lab and test activities, and the inclusion of representatives from teams affected by the rollout, the smart card deployment process was smooth and efficient.If you need to service remote sites during full deployment, entire blocks of blank cards can be prepared in advance by using a PIN that is sent directly to the remote enrollment agent. The cards, enrollment laptop, card reader(s), and the PIN can all be mailed separately.
Microsoft Enterprise Services
Roland Zeitler: MCS Germany
For information about Enterprise Services, see http://www.microsoft.com/es/.
Companies, organizations, products, people, and events depicted in examples in this paper are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.