Enrolling for a smart card certificate

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Enrolling for a smart card certificate

A domain user cannot enroll for a Smart Card Logon certificate (which provides authentication) or a Smart Card User certificate (which provides authentication plus other uses of the smart card cryptography) unless a system administrator has granted the user access rights to the certificate template that is stored in Active Directory. Enrollment for a smart card certificate must be a controlled procedure, in the same manner that employee badges are controlled for purposes of identification and physical access.

The recommended method for enrolling users for smart card-based certificates and keys is through the smart card enrollment station that is integrated with Certificate Services in Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition.

When an enterprise certification authority (CA) is installed, the installation includes the Smart Card Enrollment station. This allows an administrator to act on behalf of a user to request and install a Smart Card Logon certificate or Smart Card User certificate on the user's smart card. Prior to using the Smart Card Enrollment station, the smart card issuer must have obtained a signing certificate based on the Enrollment Agent certificate template. The signing certificate signs the certificate request that is generated on behalf of the smart card recipient.

By default, only domain administrators are granted permission to request a certificate based on the Enrollment Agent template. A user other than a domain administrator can be granted permission to enroll for an Enrollment Agent certificate by means of Active Directory Sites and Services.


  • Once someone has an Enrollment Agent certificate, they can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user.

Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies over who has one. A scenario to minimize risk of Enrollment Agent certificate misuse would be to have one subordinate CA with very tight administrative controls in your organization that is only used to issue Enrollment Agent certificates. Once the initial Enrollment Agent certificates have been issued, the administrator of the CA can disable the issuance of Enrollment Agent certificates until they are needed again. By restricting the administrators who can operate the CA service on the subordinate CA, the service can be kept online for the generation and distribution of certificate revocation lists (CRLs) if necessary. Other CAs in the hierarchy can still issue Enrollment Agent certificates if their policy settings are changed, but you can determine whether inappropriate Enrollment Agent certificates are issued by checking the Issued Certificates log for each CA regularly.

For information on how to change the security permissions for a certificate template, see Allow subjects to request a certificate that is based on the template.

The enrollment station does not provide any card personalization functions, such as creating a file structure or setting the personal identification number (PIN), because those are card-specific functions and can only be done using specialized software provided by the smart card manufacturer.

For instructions on enrolling users for smart card certificates, see Set up a smart card for user logon. Note that users that log on to computers running a Windows 2000 operating system must have a smart card enrolled from a computer running Windows 2000. Users that log on to computers running Windows XP or Windows Server 2003, Standard Edition can have a smart card enrolled from a computer running any of these operating systems.