Alternative methods to getting a standalone CA to issue smartcard certificates

We want to implement a smartcard solution but we're not ready for an implementation internally.
We considered implementing a standalone CA to avoid making changes to the Configuration partition but as it isn't able to issue smartcard certificates we're now considering a 3rd party solution instead.

A Standalone CA can actually issue smartcard logon certificates - but since it's not using certificate templates for that then you would need to manually format the request correctly before sending it to the CA for signing.  This is one of the advantages of using an Enterprise Issuing CA as that will use the appropriate smartcard logon certificate template to automatically format the request in the way that is specified in the template.

Additionally, regardless of if you implement a 3rd party CA solution or a Microsoft CA - you will most likely still need to have the same basic principles in place.

  • The Root CA and Issuing CA's being used must be added to your configuration partition
  • Your DC's must have Domain Controller certificates capable of servicing smartcard logons.
  • Your smartcards must be capable of being used for logons (although this is extensively configurable in Vista+ machines)

I.e. you will typically have the same requirements with a 3rd party solution as with a Microsoft Enterprise CA infrastructure - both will most likely require additions to your AD Configuration partition (the Enterprise CA just automates this for you).

One possible quick alternative to the manual setup of the standalone CA is to promote the Standalone CA to a DC in its own forest and use it as an external Enterprise CA - Windows Server 2008 R2 added the possibility of cross-forest enrollment so you would in addition to the smartcard logon functionality also be leveraging the autoenrollment functionality of the OS.