Create a smartcard logon certificate template

To create a smartcard logon certificate template:

1. From the Certificate Authority server, launch the Certificate Authority management console (MMC) from Administrative Tools.
2. Expand the CA, right -click on the "Certificate Templates" folder and select Manage .
3. Right click on the "Smartcard Logon" certificate template and then select Duplicate .
4. The new template properties open in the General tab. Type a template name in the text box. Note that the real name automatically appears in the second text box with no spaces. Remember this name. You will need it later to configure of SAML feature. The options on this tab should be configured as follows:
   • Template display name: PrlsSmartcardLogon
   • Template name: PrlsSmartcardLogon
   • Validity period: 1 years
   • Renewal period: 6 weeks
   • Publish certificate in Active Directory: OFF
   • Do not automatically re-enroll if a duplicate certificate exists in Active Directory: OFF

     Note: The display name can be any name you choose, however the template name must match the template name highlighted above.

   

5. Select the Cryptography tab and set the following:
   • Provider category: Legacy Cryptographic Service Provider (read-only).
   • Algorithm name: Determined by CSP
   • Minimum key size: 2048

   In the section Choose which cryptographic providers can be used for requests , choose Requests must use one of the following providers . In the following list of providers, clear all options except Microsoft Strong Cryptographic Provider and set priority as the preferred provider:

   [X] Microsoft Strong Cryptographic Provider

   [ ] Microsoft Enhanced Cryptographic Provider v 1.0

   [ ] Microsoft Base Cryptographic Provider v 1.0

   [ ] Microsoft Enhanced RSA and AES Cryptographic Provider

   

6. Select the Issuance Requirements tab and set the following:
   • CA certificate manager approval: OFF
   • This number of authorized signatures: 1
   • Policy type required in signature: Application policy
   • Application policy: Certificate Request Agent
   • Same criteria as for enrollment: ON

   

7. Select the Security tab and do the following:
   • Click Add.
   • Add the enrollment agent user account.
   • Allow (select) the "Read" and "Enroll" permissions. Click Apply and OK .

   

Issue the certificate template

To issue the certificate template that you've created:

1. Run Certificate Authority again and right click on Certififcate Templates, select new and click on Certificate Template to Issue .
2. Select the certificate template you've created in the previous steps (i.e. Prls Smarcard Logon) and click OK .
3. The certificate template should appear in the Certificate Templates list.

Note: After creating the Smartcard Logon template and the Enrollment Agent template (described earlier), you should restart the Active Directory Certificate Services service in Windows.