Certificate Propagation Service
Updated: February 18, 2010
Applies To: Windows 7, Windows Server 2008 R2
The certificate propagation service applies when a logged-on user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. The service action is controlled by using Group Policy. For information about Group Policy and Group Policy settings, see Smart Card Group Policy and Registry Settings.
The certificate propagation service must be running for smart card Plug and Play to work.
The following figure shows the flow of the certificate propagation model. In the diagram, a logged-on user inserts a smart card. The arrow labeled 1 indicates that the Service Controller notifies CertPropSvc when a user logs on. On logon notification, CertPropSvc begins to monitor the smart cards in the user session. The arrow labeled R represents the possibility of a remote session and the use of smart card redirection.
A logged-on user inserts a smart card.
CertPropSvc is notified that a smart card was inserted.
CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store.
The certificate propagation service is started as a Remote Desktop Services dependency.
Properties of the certificate propagation service are:
CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES adds certificates to a user's Personal store.
If the certificate has the CERT_ENROLLMENT_PROP_ID property (as defined by wincrypt.h), it filters empty requests and places them in the current user's request store but does not propagate them to the user's Personal store.
The service does not propagate any computer certificates to a user's Personal store or user certificates to a computer store.
The service propagates certificates according to Group Policy options that are set:
Turn on certificate propagation from the smart card specifies whether a user's certificate should be propagated.
Turn on root certificate propagation from smart card specifies whether root certificates should be propagated.
Configure root certificate cleanup specifies how root certificates are removed.
Root certificate propagation service
Root certificate propagation is responsible for specific smart card deployment scenarios where public key infrastructure (PKI) trust has not yet been established:
Joining the domain
Accessing a network remotely
In both cases, the computer is not joined to a domain and, therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller or the RADIUS server. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
On smart card insertion, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise. You may also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user logs off. This is configurable with Group Policy. For more information about Group Policy or Group Policy settings, see Smart Card Group Policy and Registry Settings.
For more information about root certificate requirements, see Smart card root certificate requirements for use with domain join.