This document will help Citrix Ready Partners configuring Windows 2008 Certificate Authority and Enrolling Smart Card.

Creating a Windows 2008 Certificate Authority

1) On a 2K8 member server (Note: This can be a domain controller also)Launch the server manager and Expand the “Roles” node and select “Add Roles”.

2)  Select the following Roles: Active Directory Certificate Services

3) Select the following Role Services:

  • Certificate Authority
  • Certificate Authority Web Enrollment

NOTE: If you plan to use the certificates MMC snap-in as your exclusive method to request certificates, the Certificate Authority Web Enrollment role service is not required.

4) If you choose to install the Certificate Authority Web Enrollment role service and do not already have the IIS related dependencies, choose to install them now

5)  Select an Enterprise CA

NOTE: An enterprise CA can issue smart card user and smart card logon certificates while a stand-alone CA cannot.

6)  Select a Root CA

7)  Select to Create a new private key

8)  Select the default Cytopography Settings
RSA#Microsoft Software Key Storage Provider

9)  Enter a common name or leave the default

10) Choose a validity period or leave the default.

11)  Using the defaults complete the remaining installation.

Testing your CA

If you installed the Web Enrollment role service, on your CA or on another box in your domain

open IE and enter the following URL: http://yourCA/certsrv.

If you see a page that looks like the following your CA and enrollment web page have been successfully installed.

Configuring a Windows 2008 CA for smart card usage

1)  On your enterprise CA, open “Certificate Authority” from the administrator’s tools –> Highlight “Certificate Templates” and right click on it –> Select “New” > “Certificate Templates to Issue” as shown below.

2)  Highlight “Smartcard User” and “Enrollment Agent” and select OK.

NOTE: There are 2 “Enrollment Agent” certificates, one for a user account and one for a computer account. In either case the certificate will need to be present on the machine being used for enrollmemt purposes.

3)  Verify that both “Smartcard User” and “Enrollment Agent” certificates are now available in your list of Certificate templates as shown below

Enrolling Smart Card Users with a Windows 2008 CA

Preparing the enrollment agent

1)  Select a computer in your domain that you will use to enroll smart card users; this will become your enrollment agent.
2)  Logon to your new enrollment agent with your domain administrator.
3)  Plug your smart card reader into the computer/enrollment agent.
4)  Install your vendor CSP.

NOTE: The Microsoft Base CSP is integrated into Win 7 and Windows 2008 natively. There is no need to install it separately.

5)  Insert a bank smart card into your reader.

Obtaining the enrollment/signing certificate

1)  Run “mmc.exe”.
2)  Select File > Add/Remove Snap-in.

3)  Add the “Certificates” Snap-in for the “My user account” and select OK.
4)  Expand the Certificates node.
5)  Expand the Personal node.

6)  Right click the “Certificates” node as shown below and select All Tasks > Request New Certificate.

7)  From the Certificate enrollment wizard: Request Certificates, select “Enrollment Agent”
8)  Expand the details and select “Properties” as shown below

9)  Select the Private Key tab.
10) Ensure the Microsoft Base Cryptographic Provider 1.0 is selected as shown below.

11)  Press OK and Enroll and then Close.

12)  You should now see an administrator signing certificate/Enrollment agent installed in the Personal>Certificates store as shown below :

Enrolling smart card users

1)  Right click the “Certificates” node as shown below and select All Tasks > Advanced Operations > Enroll on behalf of … as shown below

2)  From the Certificate enrollment wizard: Select Enrollment Agent Certificate, select browse and choose the previously obtained signing cert as shown below

3)  From the Certificate enrollment wizard: Request Certificates select “Smartcard User“.

4)  Expand the details and select “Properties” as shown below.

5)  Select the Private Key tab.
6)  Select the Microsoft Base Smart Card Crypto Provider as shown below.
NOTE: If you are using custom CSPs from a smart card vendor, select your vendors CSP in place of the Base MS CSP here

7)  Select OK, Next.

8)  From the Certificate enrollment wizard: Select User, select browse to specify a domain user as shown below

9)  Select Enroll.

10)  Remove and Insert your smart card if prompted.

11)  Enter your PIN as shown below.

If you need any further assitance please send an email to