Implementing SmartCards

Microsoft’s Certificate Authority (CA) is a great tool for implementing PKI and smartcards. Quite easy (for small deployments) too, with Windows 2003’s support for auto enrolment of the cards it can assist with taking a lot of the management away aswell and consequently a significant portion of the deployment cost. It’s quite simple to install and setup though make sure you plan appropriately for this in an enterprise deployment. One area particularly you need to watch out for though is the “Enrolment Agent” permission within the CA…why? Because with this permission I can easily become you. Within the web based management tool (as an Enrolment Agent) I can enrol a smartcard on behalf of another user, any user. It’s handy for manually enrolling users, but offers no granularity on which users, including the domain administrator account. Thus this function should only be given to the trusted service administrator not the delegated admins on the helpdesk.

Autoenrollment provides for a much easier deployment of smartcards. In the CA Management MMC console you can control which certificate templates will be allowed and which ones will support autoenrolment. The beautiful thing with this is that you can slip your smartcard into your machine, obviously logged on as you and Windows Server 2003, Group Policy and the CA will put a smartcard certificate on there for you. The other great thing is using autoenrolment to put certs on for the machine and user to support wireless access using EAP-TLS.